Security Release Notes for Control Center Next Generation – Confluent Support Portal

Control Center Next Generation v2.5.1

Control Center Next Generation patch release 2.5.1 addresses security hygiene improvements across Control Center Next Generation components through upgrades to third-party dependencies.

Security Vulnerabilities

Control Center Next Generation 2.5.1 did not include any upgrades related to exploitable security vulnerabilities.

Resolved hygiene issues in 3rd party dependencies

The following package upgrades are included in this release version and are made available to enhance the security hygiene of Confluent software, as no exploitable vector was identified for the CVEs present in impacted packages. We have provided the CVE identifiers to assist customers with analysis.

CVE	CVSS	Impacted Package Version	Upgraded Package Version
CVE-2026-33186	9.1	google.golang.org/grpc < 1.79.3	google.golang.org/grpc = 1.80.0, 1.81.1
CVE-2025-67030	8.8	org.codehaus.plexus:plexus-utils < 4.0.3, 3.6.1	org.codehaus.plexus:plexus-utils = 4.0.3
CVE-2026-34040	8.8	github.com/docker/docker < 29.3.1	github.com/docker/docker = Removed
CVE-2026-33810	8.2	stdlib < 1.26.2	stdlib = 1.26.3, 1.26.4
CVE-2026-1605	7.5	org.eclipse.jetty:jetty-server < 12.1.6, 12.0.32	org.eclipse.jetty:jetty-server = 12.0.35
CVE-2026-25679	7.5	stdlib < 1.25.8, 1.26.1	stdlib = 1.26.3, 1.26.4
CVE-2026-27137	7.5	stdlib < 1.26.1	stdlib = 1.26.3, 1.26.4
CVE-2026-29181	7.5	go.opentelemetry.io/otel < 1.41.0	go.opentelemetry.io/otel = 1.41.0, 1.44.0
CVE-2026-32280	7.5	stdlib < 1.25.9, 1.26.2	stdlib = 1.26.3, 1.26.4
CVE-2026-32281	7.5	stdlib < 1.25.9, 1.26.2	stdlib = 1.26.3, 1.26.4
CVE-2026-32283	7.5	stdlib < 1.25.9, 1.26.2	stdlib = 1.26.3, 1.26.4
CVE-2026-32285	7.5	github.com/buger/jsonparser < 1.1.2	github.com/buger/jsonparser = 1.1.2
CVE-2026-33811	7.5	stdlib < 1.25.10, 1.26.3	stdlib = 1.26.3, 1.26.4
CVE-2026-33814	7.5	stdlib < 1.25.10, 1.26.3	stdlib = 1.26.3, 1.26.4
CVE-2026-33870	7.5	io.netty:netty-codec-http < 4.1.132.Final, 4.2.10.Final	io.netty:netty-codec-http = 4.1.133.Final, 4.2.13.Final
CVE-2026-33871	7.5	io.netty:netty-codec-http2 < 4.1.132.Final, 4.2.11.Final	io.netty:netty-codec-http2 = 4.1.133.Final, 4.2.13.Final
CVE-2026-34478	7.5	org.apache.logging.log4j:log4j-core < 2.25.4	org.apache.logging.log4j:log4j-core = 2.25.4
CVE-2026-34480	7.5	org.apache.logging.log4j:log4j-core < 2.25.4	org.apache.logging.log4j:log4j-core = 2.25.4
CVE-2026-39820	7.5	stdlib < 1.25.10, 1.26.3	stdlib = 1.26.3, 1.26.4
CVE-2026-39836	7.5	stdlib < 1.25.10, 1.26.3	stdlib = 1.26.3, 1.26.4
CVE-2026-42499	7.5	stdlib < 1.25.10, 1.26.3	stdlib = 1.26.3, 1.26.4
CVE-2026-42578	7.5	io.netty:netty-handler-proxy < 4.1.133.Final, 4.2.13.Final	io.netty:netty-handler-proxy = 4.1.133.Final, 4.2.13.Final
CVE-2026-42579	7.5	io.netty:netty-codec-dns < 4.2.13.Final, 4.1.133.Final	io.netty:netty-codec-dns = 4.1.133.Final, 4.2.13.Final
CVE-2026-42583	7.5	io.netty:netty-codec < 4.1.133.Final	io.netty:netty-codec = 4.1.133.Final, 4.2.13.Final
CVE-2026-42587	7.5	io.netty:netty-codec-http2 < 4.2.13.Final, 4.1.133.Final	io.netty:netty-codec-http2 = 4.1.133.Final, 4.2.13.Final
CVE-2026-42587	7.5	io.netty:netty-codec-http < 4.2.13.Final, 4.1.133.Final	io.netty:netty-codec-http = 4.1.133.Final, 4.2.13.Final
CVE-2026-2332	7.4	org.eclipse.jetty:jetty-http < 12.1.7, 12.0.33	org.eclipse.jetty:jetty-http = 12.0.35
CVE-2026-45300	7.4	org.asynchttpclient:async-http-client < 3.0.10, 2.15.0	org.asynchttpclient:async-http-client = 3.0.10
CVE-2026-42584	7.3	io.netty:netty-codec-http < 4.2.13.Final, 4.1.133.Final	io.netty:netty-codec-http = 4.1.133.Final, 4.2.13.Final
CVE-2026-41567	7.2	github.com/docker/docker = 28.5.2+incompatible	github.com/docker/docker = Removed
CVE-2026-42306	7.2	github.com/docker/docker = 28.5.2+incompatible	github.com/docker/docker = Removed
CVE-2026-24051	7.0	go.opentelemetry.io/otel/sdk < 1.40.0	go.opentelemetry.io/otel/sdk = 1.41.0, 1.44.0
GHSA-72hv-8253-57qq	6.9	com.fasterxml.jackson.core:jackson-core < 2.21.1, 2.18.6	com.fasterxml.jackson.core:jackson-core = 2.21.2
CVE-2026-33997	6.8	github.com/docker/docker < 29.3.1	github.com/docker/docker = Removed
CVE-2026-40490	6.8	org.asynchttpclient:async-http-client < 3.0.9, 2.14.5	org.asynchttpclient:async-http-client = 3.0.10
CVE-2026-2303	6.5	go.mongodb.org/mongo-driver < 1.17.7	go.mongodb.org/mongo-driver = Removed
CVE-2026-42580	6.5	io.netty:netty-codec-http < 4.2.13.Final, 4.1.133.Final	io.netty:netty-codec-http = 4.1.133.Final, 4.2.13.Final
CVE-2026-42585	6.5	io.netty:netty-codec-http < 4.2.13.Final, 4.1.133.Final	io.netty:netty-codec-http = 4.1.133.Final, 4.2.13.Final
CVE-2026-32282	6.4	stdlib < 1.25.9, 1.26.2	stdlib = 1.26.3, 1.26.4
CVE-2026-27142	6.1	stdlib < 1.25.8, 1.26.1	stdlib = 1.26.3, 1.26.4
CVE-2026-32289	6.1	stdlib < 1.25.9, 1.26.2	stdlib = 1.26.3, 1.26.4
CVE-2026-39823	6.1	stdlib < 1.25.10, 1.26.3	stdlib = 1.26.3, 1.26.4
CVE-2026-39826	6.1	stdlib < 1.25.10, 1.26.3	stdlib = 1.26.3, 1.26.4
CVE-2026-40179	6.1	github.com/prometheus/prometheus < 0.311.2-0.20260410083055-07c6232d159b	github.com/prometheus/prometheus = 3.12.0
CVE-2026-41568	6.0	github.com/docker/docker = 28.5.2+incompatible	github.com/docker/docker = Removed
CVE-2026-27138	5.9	stdlib < 1.26.1	stdlib = 1.26.3, 1.26.4
CVE-2026-34477	5.9	org.apache.logging.log4j:log4j-core < 2.25.4	org.apache.logging.log4j:log4j-core = 2.25.4
CVE-2026-42581	5.8	io.netty:netty-codec-http < 4.2.13.Final, 4.1.133.Final	io.netty:netty-codec-http = 4.1.133.Final, 4.2.13.Final
CVE-2026-32288	5.5	stdlib < 1.25.9, 1.26.2	stdlib = 1.26.3, 1.26.4
CVE-2026-39825	5.3	stdlib < 1.25.10, 1.26.3	stdlib = 1.26.3, 1.26.4
CVE-2026-41417	5.3	io.netty:netty-codec-http < 4.1.133.Final, 4.2.13.Final	io.netty:netty-codec-http = 4.1.133.Final, 4.2.13.Final
CVE-2025-11143	3.7	org.eclipse.jetty:jetty-http < 12.0.31, 12.1.5	org.eclipse.jetty:jetty-http = 12.0.35
CVE-2026-27139	2.5	stdlib < 1.25.8, 1.26.1	stdlib = 1.26.3, 1.26.4

This patch release uses Red Hat Universal Base Image 9 Minimal version 9.8-1780378819.

Control Center Next Generation v2.5.1

Security Vulnerabilities

Resolved hygiene issues in 3rd party dependencies

Related articles