Security Release Notes for CPC Gateway – Confluent Support Portal

CPC Gateway v1.2.1

CPC Gateway patch release 1.2.1 addresses security hygiene improvements across CPC Gateway components through upgrades to third-party dependencies.

Security Vulnerabilities

CPC Gateway 1.2.1 did not include any upgrades related to exploitable security vulnerabilities.

Resolved hygiene issues in 3rd party dependencies

The following package upgrades are included in this release version and are made available to enhance the security hygiene of Confluent software, as no exploitable vector was identified for the CVEs present in impacted packages. We have provided the CVE identifiers to assist customers with analysis.

CVE	CVSS	Impacted Package Version	Upgraded Package Version
CVE-2026-45674	8.7	io.netty:netty-resolver-dns < 4.2.15.Final, 4.1.135.Final	io.netty:netty-resolver-dns = 4.2.15.Final
CVE-2026-47691	8.7	io.netty:netty-resolver-dns < 4.2.15.Final, 4.1.135.Final	io.netty:netty-resolver-dns = 4.2.15.Final
CVE-2026-33810	8.2	stdlib < 1.26.2	stdlib = 1.26.4
CVE-2026-44249	8.1	io.netty:netty-handler < 4.2.15.Final, 4.1.135.Final	io.netty:netty-handler = 4.2.15.Final
CVE-2026-32280	7.5	stdlib < 1.25.9, 1.26.2	stdlib = 1.26.4
CVE-2026-32281	7.5	stdlib < 1.25.9, 1.26.2	stdlib = 1.26.4
CVE-2026-32283	7.5	stdlib < 1.25.9, 1.26.2	stdlib = 1.26.4
CVE-2026-33811	7.5	stdlib < 1.25.10, 1.26.3	stdlib = 1.26.4
CVE-2026-33814	7.5	stdlib < 1.25.10, 1.26.3	stdlib = 1.26.4
CVE-2026-33870	7.5	io.netty:netty-codec-http < 4.1.132.Final, 4.2.10.Final	io.netty:netty-codec-http = 4.2.15.Final
CVE-2026-33871	7.5	io.netty:netty-codec-http2 < 4.1.132.Final, 4.2.11.Final	io.netty:netty-codec-http2 = 4.2.15.Final
CVE-2026-34478	7.5	org.apache.logging.log4j:log4j-core < 2.25.4	org.apache.logging.log4j:log4j-core = 2.25.4
CVE-2026-34480	7.5	org.apache.logging.log4j:log4j-core < 2.25.4	org.apache.logging.log4j:log4j-core = 2.25.4
CVE-2026-39820	7.5	stdlib < 1.25.10, 1.26.3	stdlib = 1.26.4
CVE-2026-39836	7.5	stdlib < 1.25.10, 1.26.3	stdlib = 1.26.4
CVE-2026-42499	7.5	stdlib < 1.25.10, 1.26.3	stdlib = 1.26.4
CVE-2026-42504	7.5	stdlib < 1.25.11, 1.26.4	stdlib = 1.26.4
CVE-2026-42577	7.5	io.netty:netty-transport-native-epoll < 4.2.13.Final	io.netty:netty-transport-native-epoll = 4.2.15.Final
CVE-2026-42578	7.5	io.netty:netty-handler-proxy < 4.1.133.Final, 4.2.13.Final	io.netty:netty-handler-proxy = 4.2.15.Final
CVE-2026-42579	7.5	io.netty:netty-codec-dns < 4.2.13.Final, 4.1.133.Final	io.netty:netty-codec-dns = 4.2.15.Final
CVE-2026-42583	7.5	io.netty:netty-codec-compression < 4.2.13.Final	io.netty:netty-codec-compression = 4.2.15.Final
CVE-2026-42587	7.5	io.netty:netty-codec-http < 4.2.13.Final, 4.1.133.Final	io.netty:netty-codec-http = 4.2.15.Final
CVE-2026-42587	7.5	io.netty:netty-codec-http2 < 4.2.13.Final, 4.1.133.Final	io.netty:netty-codec-http2 = 4.2.15.Final
CVE-2026-44893	7.5	io.netty:netty-codec-haproxy < 4.2.15.Final, 4.1.135.Final	io.netty:netty-codec-haproxy = 4.2.15.Final
CVE-2026-45416	7.5	io.netty:netty-handler < 4.2.15.Final, 4.1.135.Final	io.netty:netty-handler = 4.2.15.Final
CVE-2026-48059	7.5	io.netty:netty-codec-haproxy < 4.2.15.Final, 4.1.135.Final	io.netty:netty-codec-haproxy = 4.2.15.Final
CVE-2026-50010	7.5	io.netty:netty-handler < 4.2.15.Final, 4.1.135.Final	io.netty:netty-handler = 4.2.15.Final
CVE-2026-42584	7.3	io.netty:netty-codec-http < 4.2.13.Final, 4.1.133.Final	io.netty:netty-codec-http = 4.2.15.Final
GHSA-72hv-8253-57qq	6.9	com.fasterxml.jackson.core:jackson-core < 2.21.1, 2.18.6	com.fasterxml.jackson.core:jackson-core = 2.18.6, 2.21.1
CVE-2026-45673	6.8	io.netty:netty-resolver-dns < 4.2.15.Final, 4.1.135.Final	io.netty:netty-resolver-dns = 4.2.15.Final
CVE-2026-27145	6.5	stdlib < 1.25.11, 1.26.4	stdlib = 1.26.4
CVE-2026-42580	6.5	io.netty:netty-codec-http < 4.2.13.Final, 4.1.133.Final	io.netty:netty-codec-http = 4.2.15.Final
CVE-2026-42585	6.5	io.netty:netty-codec-http < 4.2.13.Final, 4.1.133.Final	io.netty:netty-codec-http = 4.2.15.Final
CVE-2026-32282	6.4	stdlib < 1.25.9, 1.26.2	stdlib = 1.26.4
CVE-2026-32289	6.1	stdlib < 1.25.9, 1.26.2	stdlib = 1.26.4
CVE-2026-39823	6.1	stdlib < 1.25.10, 1.26.3	stdlib = 1.26.4
CVE-2026-39826	6.1	stdlib < 1.25.10, 1.26.3	stdlib = 1.26.4
CVE-2026-34477	5.9	org.apache.logging.log4j:log4j-core < 2.25.4	org.apache.logging.log4j:log4j-core = 2.25.4
CVE-2026-42581	5.8	io.netty:netty-codec-http < 4.2.13.Final, 4.1.133.Final	io.netty:netty-codec-http = 4.2.15.Final
CVE-2026-32288	5.5	stdlib < 1.25.9, 1.26.2	stdlib = 1.26.4
CVE-2026-39825	5.3	stdlib < 1.25.10, 1.26.3	stdlib = 1.26.4
CVE-2026-41417	5.3	io.netty:netty-codec-http < 4.1.133.Final, 4.2.13.Final	io.netty:netty-codec-http = 4.2.15.Final
CVE-2026-42507	5.3	stdlib < 1.25.11, 1.26.4	stdlib = 1.26.4
CVE-2026-47244	5.3	io.netty:netty-codec-http2 < 4.2.15.Final, 4.1.135.Final	io.netty:netty-codec-http2 = 4.2.15.Final
CVE-2026-48043	5.3	io.netty:netty-codec-http2 < 4.1.135.Final, 4.2.15.Final	io.netty:netty-codec-http2 = 4.2.15.Final
CVE-2026-50020	5.3	io.netty:netty-codec-http < 4.2.15.Final, 4.1.135.Final	io.netty:netty-codec-http = 4.2.15.Final
CVE-2026-50560	5.3	io.netty:netty-codec-http2 < 4.2.15.Final, 4.1.135.Final	io.netty:netty-codec-http2 = 4.2.15.Final
CVE-2025-68161	4.8	org.apache.logging.log4j:log4j-core < 2.25.3	org.apache.logging.log4j:log4j-core = 2.25.4
CVE-2026-45536	4.0	io.netty:netty-transport-native-epoll < 4.2.15.Final, 4.1.135.Final	io.netty:netty-transport-native-epoll = 4.2.15.Final
CVE-2026-45536	4.0	io.netty:netty-transport-native-kqueue < 4.2.15.Final, 4.1.135.Final	io.netty:netty-transport-native-kqueue = 4.2.15.Final
CVE-2026-39824	n/a	golang.org/x/sys < 0.44.0	golang.org/x/sys = 0.46.0

This patch release uses Red Hat Universal Base Image 9 Minimal version 9.8-1782191395.

CPC Gateway v1.2.1

Security Vulnerabilities

Resolved hygiene issues in 3rd party dependencies

Related articles