Confluent Platform patch release version 7.6.10 contains fixes that resolve vulnerabilities in Confluent owned components and in various dependency versions depended upon by Confluent Platform components.
Security Vulnerabilities
Confluent Platform 7.6.10 patch release contains fixes for following security vulnerability:
CVE |
CVSS |
Affected Components |
Resolution |
8.7 |
Apache Kafka versions ≤ 3.9.1, ≤ 4.0.1, and ≤ 4.1.1 | This issue has been fixed in Apache Kafka versions 3.9.2, 4.0.2, and 4.1.2 and Confluent Platform versions: 7.4.14, 7.5.13, 7.6.10, 7.7.8, 7.8.7, 7.9.6, 8.0.4, 8.1.2 |
More information to follow in the Confluent Security Advisory:
- CVE-2026-35554: CONFSA-2026-01: Producer Message Corruption and Misrouting in Apache Kafka Clients
Resolved hygiene issues in 3rd party dependencies
The following package upgrades are included in this release version and are made available to enhance the security hygiene of Confluent software, as no exploitable vector was identified for the CVEs present in impacted packages. We have provided the CVE identifiers to assist customers with analysis.
CVE |
CVSS |
Impacted Package Version |
Upgraded Package Version |
| CVE-2025-68121 | 10 |
stdlib < v1.25.4 | stdlib = 1.26.0 |
| CVE-2024-29371 | 7.5 |
org.bitbucket.b_c:jose4j < 0.9.5 | org.bitbucket.b_c:jose4j = 0.9.6 |
| CVE-2025-61726 | 7.5 |
stdlib < v1.25.4 | stdlib = 1.26.0 |
| CVE-2025-61729 | 7.5 |
stdlib < v1.25.4 | stdlib = 1.26.0 |
| CVE-2025-66418 | 7.5 |
urllib3 < 2.5.0 | urllib3 = 2.6.3 |
| CVE-2025-66471 | 7.5 |
urllib3 < 2.5.0 | urllib3 = 2.6.3 |
| CVE-2025-66566 | 7.5 |
org.lz4:lz4-java < 1.8.0 | at.yawk.lz4:lz4-java = 1.10.2 |
| CVE-2026-21441 | 7.5 |
urllib3 < 2.5.0 | urllib3 = 2.6.3 |
| CVE-2025-11143 | 6.5 |
org.eclipse.jetty:jetty-http < 9.5.59 | org.eclipse.jetty:jetty-http = 9.4.59 |
| CVE-2025-12183 | 6.5 |
org.lz4:lz4-java < 1.8.0 | at.yawk.lz4:lz4-java = 1.10.2 |
| CVE-2025-48924 | 6.5 |
org.apache.commons:commons-lang3 < 3.8.1 | org.apache.commons:commons-lang3 = 3.18.0 |
| CVE-2025-61727 | 6.5 |
stdlib < v1.25.4 | stdlib = 1.26.0 |
| CVE-2025-61728 | 6.5 |
stdlib < v1.25.4 | stdlib = 1.26.0 |
| CVE-2025-67735 | 6.5 |
io.netty:netty-codec-http < 4.1.128.Final | io.netty:netty-codec-http = 4.1.130.Final |
| CVE-2025-9341 | 6.2 |
org.bouncycastle:bc-fips < 2.1.0 | org.bouncycastle:bc-fips = 2.1.2 |
| CVE-2025-9340 | 5.9 |
org.bouncycastle:bc-fips < 2.1.0 | org.bouncycastle:bc-fips = 2.1.2 |
| CVE-2025-61730 | 5.3 |
stdlib < v1.25.4 | stdlib = 1.26.0 |
| CVE-2026-1002 | 5.3 |
io.vertx:vertx-core < 4.5.22 | io.vertx:vertx-core = 4.5.24 |
| CVE-2025-12194 | 4 |
org.bouncycastle:bc-fips < 2.1.0 | org.bouncycastle:bc-fips = 2.1.2 |
| CVE-2025-9092 | 1.8 |
org.bouncycastle:bc-fips < 2.1.0 | org.bouncycastle:bc-fips = 2.1.2 |
This patch release uses Red Hat Universal Base Image 8 Minimal version 8.10-1770785328.