Skip to main content

Security Release Notes for CFK 3.2.3

  • Updated

Confluent for Kubernetes (CFK) patch release 3.2.3 addresses security hygiene improvements across CFK components through upgrades to third-party dependencies. 

Security Vulnerabilities

This CFK release version did not include any upgrades related to exploitable security vulnerabilities.

Resolved hygiene issues in 3rd party dependencies

The following package upgrades are included in this release version and are made available to enhance the security hygiene of Confluent software, as no exploitable vector was identified for the CVEs present in impacted packages. We have provided the CVE identifiers to assist customers with analysis. 

CVE

CVSS

Impacted Package Version

Upgraded Package Version

CVE-2026-45570

9.6

github.com/go-git/go-git/v5 < 5.19.1

github.com/go-git/go-git/v5 = 5.19.1

CVE-2026-34040

8.8

github.com/docker/docker < 29.3.1

github.com/docker/docker = Removed

CVE-2026-39828

8.8

golang.org/x/crypto < 0.52.0

golang.org/x/crypto = 0.52.0, 0.53.0

CVE-2026-39821

8.2

golang.org/x/net < 0.55.0

golang.org/x/net = 0.55.0

CVE-2026-44973

8.1

github.com/go-git/go-billy/v5 < 5.9.0

github.com/go-git/go-billy/v5 = 5.9.0

CVE-2026-29181

7.5

go.opentelemetry.io/otel < 1.41.0

go.opentelemetry.io/otel = 1.43.0

CVE-2026-32285

7.5

github.com/buger/jsonparser < 1.1.2

github.com/buger/jsonparser = 1.1.2

CVE-2026-33811

7.5

stdlib < 1.25.10, 1.26.3

stdlib = 1.25.11, 1.26.4-X:boringcrypto

CVE-2026-33814

7.5

golang.org/x/net < 0.53.0

golang.org/x/net = 0.55.0

CVE-2026-33814

7.5

stdlib < 1.25.10, 1.26.3

stdlib = 1.25.11, 1.26.4-X:boringcrypto

CVE-2026-34986

7.5

github.com/go-jose/go-jose/v4 < 4.1.4

github.com/go-jose/go-jose/v4 = 4.1.4

CVE-2026-39820

7.5

stdlib < 1.25.10, 1.26.3

stdlib = 1.25.11, 1.26.4-X:boringcrypto

CVE-2026-39829

7.5

golang.org/x/crypto < 0.52.0

golang.org/x/crypto = 0.52.0, 0.53.0

CVE-2026-39830

7.5

golang.org/x/crypto < 0.52.0

golang.org/x/crypto = 0.52.0, 0.53.0

CVE-2026-39836

7.5

stdlib < 1.25.10, 1.26.3

stdlib = 1.25.11, 1.26.4-X:boringcrypto

CVE-2026-42499

7.5

stdlib < 1.25.10, 1.26.3

stdlib = 1.25.11, 1.26.4-X:boringcrypto

CVE-2026-42504

7.5

stdlib < 1.25.11, 1.26.4

stdlib = 1.25.11, 1.26.4-X:boringcrypto

CVE-2026-44432

7.5

urllib3 < 2.7.0

urllib3 = Removed

CVE-2026-45022

7.5

github.com/go-git/go-git/v5 < 5.19.0

github.com/go-git/go-git/v5 = 5.19.1

CVE-2026-42508

7.4

golang.org/x/crypto < 0.52.0

golang.org/x/crypto = 0.52.0, 0.53.0

CVE-2026-41567

7.2

github.com/docker/docker = 28.0.0+incompatible

github.com/docker/docker = Removed

CVE-2026-42306

7.2

github.com/docker/docker = 28.0.0+incompatible

github.com/docker/docker = Removed

CVE-2026-46595

7.1

golang.org/x/crypto < 0.52.0

golang.org/x/crypto = 0.52.0, 0.53.0

CVE-2026-33997

6.8

github.com/docker/docker < 29.3.1

github.com/docker/docker = Removed

CVE-2026-27145

6.5

stdlib < 1.25.11, 1.26.4

stdlib = 1.25.11, 1.26.4-X:boringcrypto

CVE-2026-44740

6.5

github.com/go-git/go-billy/v5 < 5.9.0

github.com/go-git/go-billy/v5 = 5.9.0

GHSA-w5pp-99ch-qj29

6.5

github.com/go-git/go-git/v5 < 5.19.1

github.com/go-git/go-git/v5 = 5.19.1

CVE-2026-39823

6.1

stdlib < 1.25.10, 1.26.3

stdlib = 1.25.11, 1.26.4-X:boringcrypto

CVE-2026-39826

6.1

stdlib < 1.25.10, 1.26.3

stdlib = 1.25.11, 1.26.4-X:boringcrypto

CVE-2026-41568

6.0

github.com/docker/docker = 28.0.0+incompatible

github.com/docker/docker = Removed

CVE-2026-45571

5.4

github.com/go-git/go-git/v5 < 5.19.1

github.com/go-git/go-git/v5 = 5.19.1

CVE-2026-39825

5.3

stdlib < 1.25.10, 1.26.3

stdlib = 1.25.11, 1.26.4-X:boringcrypto

CVE-2026-42507

5.3

stdlib < 1.25.11, 1.26.4

stdlib = 1.25.11, 1.26.4-X:boringcrypto

CVE-2026-44431

5.3

urllib3 < 2.7.0

urllib3 = Removed

CVE-2026-45409

5.3

idna < 3.15

idna = Removed

CVE-2026-46598

5.3

golang.org/x/crypto < 0.52.0

golang.org/x/crypto = 0.52.0, 0.53.0

CVE-2026-25645

4.4

requests < 2.33.0

requests = Removed

CVE-2026-25680

n/a

golang.org/x/net < 0.55.0

golang.org/x/net = 0.55.0

CVE-2026-25681

n/a

golang.org/x/net < 0.55.0

golang.org/x/net = 0.55.0

CVE-2026-27136

n/a

golang.org/x/net < 0.55.0

golang.org/x/net = 0.55.0

CVE-2026-39824

n/a

golang.org/x/sys < 0.44.0

golang.org/x/sys = 0.45.0, 0.46.0

CVE-2026-39827

n/a

golang.org/x/crypto < 0.52.0

golang.org/x/crypto = 0.52.0, 0.53.0

CVE-2026-39831

n/a

golang.org/x/crypto < 0.52.0

golang.org/x/crypto = 0.52.0, 0.53.0

CVE-2026-39832

n/a

golang.org/x/crypto < 0.52.0

golang.org/x/crypto = 0.52.0, 0.53.0

CVE-2026-39833

n/a

golang.org/x/crypto < 0.52.0

golang.org/x/crypto = 0.52.0, 0.53.0

CVE-2026-39834

n/a

golang.org/x/crypto < 0.52.0

golang.org/x/crypto = 0.52.0, 0.53.0

CVE-2026-39835

n/a

golang.org/x/crypto < 0.52.0

golang.org/x/crypto = 0.52.0, 0.53.0

CVE-2026-42502

n/a

golang.org/x/net < 0.55.0

golang.org/x/net = 0.55.0

CVE-2026-42506

n/a

golang.org/x/net < 0.55.0

golang.org/x/net = 0.55.0

CVE-2026-46597

n/a

golang.org/x/crypto < 0.52.0

golang.org/x/crypto = 0.52.0, 0.53.0

This patch release version depends upon Red Hat Universal Base Image 9 Micro version 9.8-1779858820.

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles