Hi Vivek,

On June 25th, Apache Kafka 4.3.1 was released and is available for use

Of the CVEs you mentioned:

Kafka Core
- CVE-2026-41115 -> Fixed in 4.3.1 (documentation update)

OpenTelemetry
- CVE-2026-39882 -> seems to refer to opentelemetry-go and we use
opentelemetry-proto only
- CVE-2026-41078 -> seems to refer to opentelemetry-dotnet, we use
opentelemetry-proto only
- CVE-2026-40894 -> seems to refer to opentelemetry-dotnet, we use
opentelemetry-proto only
- CVE-2026-44967 -> seems to refer to opentelemetry-c++, we use
opentelemetry-proto only

JLine
- GHSA-2r2c-cx56-8933 -> seems to refer to JLine-telnet. We don't use this
submodule
- GHSA-47qp-hqvx-6r3f -> seems to refer to JLine-telnet. We don't use this
submodule
-  XRAY-1005950 and XRAY-1005951 -> these appear to be JFrog Xray internal
database identifiers rather than CVEs, so we can't look them up publicly.
Could you share the affected component and version from your scanner
report? They may correspond to the two JLine GHSA advisories above, which
never received CVE IDs.

Jackson
- CVE-2026-54512 -> We still have a dependency affected by this CVE
- CVE-2026-54513 -> We still have a dependency affected by this CVE
- CVE-2026-54514 -> We still have a dependency affected by this CVE
- CVE-2026-54515 -> We still have a dependency affected by this CVE
- CVE-2026-54516 -> We still have a dependency affected by this CVE
- CVE-2026-54517 -> We still have a dependency affected by this CVE
- CVE-2026-54518 -> We still have a dependency affected by this CVE

For the Jackson CVEs, we have already updated our dependency to fix these
issues. Therefore, newer Apache Kafka versions (4.2 or newer) released
after July 9th will include a non-vulnerable dependency for these CVEs. You
can see the PR where this was fixed here:
https://github.com/apache/kafka/pull/22793
However, based on static analysis of the 4.3.1 distribution, the code
doesn't seem to reach any of the vulnerable classes highlighted in these
CVEs. The only case where this might be tangentially affected is Trogdor
which is a test framework and should not be used in production.

Regarding the version release, there is no planned date for an eventual
4.3.2 version at the moment of writing this email.

Thanks for staying vigilant. Let me know if you disagree with the above
assessment.

Best,

On Tue, Jul 14, 2026 at 7:06 AM Vivek Agarwal B via users <
[email protected]> wrote:

> Hello Team,
>
>
>
> Could you please confirm the plan to release a new Kafka version that
> includes fixes for vulnerabilities identified primarily in transient
> dependencies such as Jackson, JLine, OpenTelemetry and a few others?
>
>
>
> These are detected in kafka v4.3.0.
>
>
>
> Below is the list of identified vulnerabilities for reference:
>
>
>
> Kafka core
>
> CVE-2026-41115
>
>
>
> OpenTelemetry
>
> CVE-2026-39882
>
> CVE-2026-41078
>
> CVE-2026-40894
>
> CVE-2026-44967
>
>
>
> JLine
>
> GHSA-2r2c-cx56-8933
>
> GHSA-47qp-hqvx-6r3f
>
> XRAY-1005950
>
> XRAY-1005951
>
>
>
> Jackson -
>
> CVE-2026-54512
>
> CVE-2026-54513
>
> CVE-2026-54514
>
> CVE-2026-54515
>
> CVE-2026-54516
>
> CVE-2026-54517
>
> CVE-2026-54518
>
>
>
> Regards
> Vivek
>
>

-- 
[image: Aiven] <https://www.aiven.io>
*Josep Prat*
Sr Engineering Director, Streaming Services, *Aiven*
[email protected]  |  +491715557497

aiven.io <https://www.aiven.io/>

[image: LinkedIn]
<https://www.linkedin.com/company/aiven/posts/?feedView=all>  [image: X]
<https://x.com/aiven_io>  [image: GitHub] <https://github.com/aiven>  [image:
YouTube] <https://www.youtube.com/@Aiven_io>  [image: Facebook]
<https://www.facebook.com/aivencloud>
*Aiven Deutschland GmbH*
Rosenthaler Straße 43-45, 10178 Berlin
Geschäftsführer: Oskari Saarenmaa, Kenneth Chen
Amtsgericht Charlottenburg, HRB 209739 B

Reply via email to