Our news and updates

In Apache Kafka versions up to 3.9.1 and 4.0.0 a medium severity vulnerability CVE-2026-33558 was detected. This vulnerability allows attackers to access sensitive information, including authentication credentials and delegation tokens, because the NetworkClient component outputs entire requests and responses—such as SaslAuthenticate and AlterConfigs—when the DEBUG log level is enabled. To address this issue users must upgrade to version 3.9.2, 4.0.1, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-33558.

In Kimai versions 2.52.0 and below a high severity vulnerability CVE-2026-40486 was detected. This vulnerability allows attackers with standard user accounts to modify restricted attributes such as hourly_rate and internal_rate via the User Preferences API, bypassing intended permission checks. This unauthorized financial tampering directly impacts invoice generation and timesheet calculations. To address this issue users must upgrade to version 2.53.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-40486.

p>In Apache Airflow versions 3.0.0 before 3.2.0 a medium severity vulnerability CVE-2026-32690 was detected. This vulnerability allows attackers to bypass secret redaction and view sensitive values stored in JSON dictionaries, as nested fields were not properly masked when retrieved with specific depth settings. To address this issue, users must upgrade to 3.2.0 version. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-32690.

In Mattermost versions 10.11.x through 10.11.12 a medium severity vulnerability CVE-2026-27769 was detected. This vulnerability allows a malicious remote server connected via the Connected Workspaces feature to change the displayed status of local users by exploiting a failure to validate user ownership within the Connected Workspaces API. To address this issue, users must upgrade to version 11.5.0 or 10.11.13. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27769.

In Apache Airflow versions 3.0.0 before 3.2.0 low severity vulnerability CVE-2026-32228 was detected. This vulnerability allows attackers with asset materialization permissions to trigger DAGs they otherwise had no access to via the UI or API. To address this issue users must upgrade to 3.2.0 version. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-32228.

In Apache Airflow versions 3.0.0 before 3.2.0 high severity vulnerability CVE-2026-31987 was detected. This vulnerability allows attackers with UI access to view JWT tokens exposed in task logs, potentially enabling them to impersonate DAG authors and perform unauthorized actions. To address this issue users must upgrade to 3.2.0 version. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-31987.

In Grafana versions prior to 11.6.11, 12.0.9, 12.1.6, and 12.2.4 low severity vulnerability CVE-2026-21727 was detected. This vulnerability allows attackers with datasource management privileges to read and permanently delete legacy correlation data belonging to other organizations due to improper isolation of legacy records with org_id=0. To address this issue users must upgrade to 11.6.11, 12.0.9, 12.1.6, or 12.2.4 version. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-21727.

In Apache Airflow versions 3.0.0 before 3.2.0 medium severity vulnerability CVE-2025-57735 was detected. This vulnerability allows attackers to reuse a JWT token that was not properly invalidated after a user logged out, provided the token was intercepted. To address this issue users must upgrade to 3.2.0 version. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-57735.

In Apache Airflow versions prior to 3.2.0 low severity vulnerability CVE-2025-54550 was detected. This vulnerability allows attackers to perform arbitrary execution of code on the worker if a UI user with XCom modification access exploits an unsafe reading pattern based on documentation examples. To address this issue users must upgrade to 3.2.0 version documentation standards and adjust their implementations accordingly. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-54550.