Vulnerability Reportapachepulsar/pulsar:4.0.10

apachepulsar/pulsar:4.0.10

DIGESTsha256:d1015512935f91b2feb6728071a83441e04875b5bc3eca2f0f85e95b3fef50e0

Executive Summary

Threat ScoreDANGEROUS• Critical vulnerability CVE-2026-42581 (CVSS 8.3) in Netty HTTP codec enables request smuggling, posing severe risk to Pulsar's exposed HTTP services.• Multiple high-severity Netty flaws (CVE-2026-42587, CVE-2026-45416) allow remote denial of service via memory exhaustion.• Overall 31 exposed vulnerabilities, including 13 with severity ≥6.0 and 1 critical (CVSS 8.3); post-exploit findings are minimal (max 3.5).• Image from popular community publisher (36M+ pulls) with pinned digest, but exploitable Netty issues require immediate remediation.

75/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (36M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could exploit request smuggling (CVE-2026-42581) to bypass access controls and manipulate Pulsar data, or trigger denial of service (CVE-2026-42587) via decompression bombs. These vulnerabilities are remotely exploitable without authentication and require no special configuration. Patch Netty to versions 4.1.133.Final or later to mitigate all listed Netty CVEs.

Vulnerabilities

Vulnerability Log

43 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-42581	HIGH8.33	io.netty:netty-codec-http 4.1.132.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-45674	MEDIUM6.8	io.netty:netty-resolver-dns 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-47691	MEDIUM6.8	io.netty:netty-resolver-dns 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-6732	MEDIUM6.38	libxml2 2.13.9-r0 fixed in 2.13.9-r1	0.6% Theoretical Threat	Directly Exposed
CVE-2026-27135	MEDIUM6.38	nghttp2-libs 1.64.0-r0 fixed in 1.68.1	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http 4.1.132.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42585	MEDIUM6.38	io.netty:netty-codec-http 4.1.132.Final fixed in 4.2.13.Final, 4.1.133.Final	0.2% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http2 4.1.132.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-48043	MEDIUM6.38	io.netty:netty-codec-http2 4.1.132.Final fixed in 4.1.135.Final, 4.2.15.Final	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-45292	MEDIUM6.38	io.opentelemetry:opentelemetry-api 1.56.0 fixed in 1.62.0	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-43869	MEDIUM6.21	org.apache.thrift:libthrift 0.14.2 fixed in 0.23.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42579	MEDIUM6.18	io.netty:netty-codec-dns 4.1.132.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-5947	MEDIUM5.9	bind-libs 9.18.47-r0 fixed in 9.18.49-r0	1.2% Low-Moderate Risk	Directly Exposed
CVE-2026-45673	MEDIUM5.78	io.netty:netty-resolver-dns 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.1.132.Final fixed in 4.1.133.Final, 4.2.13.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42580	MEDIUM5.52	io.netty:netty-codec-http 4.1.132.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-44249	MEDIUM5.5	io.netty:netty-handler 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-44893	MEDIUM5.1	io.netty:netty-codec-haproxy 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-48059	MEDIUM5.1	io.netty:netty-codec-haproxy 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-3592	MEDIUM4.5	bind-libs 9.18.47-r0 fixed in 9.18.49-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-5950	MEDIUM4.5	bind-libs 9.18.47-r0 fixed in 9.18.49-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34743	MEDIUM4.5	xz-libs 5.6.3-r1 fixed in 5.8.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-50020	MEDIUM4.5	io.netty:netty-codec-http 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-47244	MEDIUM4.5	io.netty:netty-codec-http2 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-50560	MEDIUM4.5	io.netty:netty-codec-http2 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6860	MEDIUM4.5	io.vertx:vertx-core 4.5.24 fixed in 4.5.27, 5.0.12	0.2% Theoretical Threat	Directly Exposed
CVE-2026-3593	LOW3.53	bind-libs 9.18.47-r0 fixed in 9.18.49-r0	1.6% Low-Moderate Risk	Post-Exploit
CVE-2026-3593	LOW3.53	bind-tools 9.18.47-r0 fixed in 9.18.49-r0	1.6% Low-Moderate Risk	Post-Exploit
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42584	LOW2.78	io.netty:netty-codec-http 4.1.132.Final fixed in 4.2.13.Final, 4.1.133.Final	0.3% Theoretical Threat	Post-Exploit
CVE-2026-3592	LOW2.7	bind-tools 9.18.47-r0 fixed in 9.18.49-r0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-5950	LOW2.7	bind-tools 9.18.47-r0 fixed in 9.18.49-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-3039	LOW2.29	bind-libs 9.18.47-r0 fixed in 9.18.49-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-5946	LOW2.29	bind-libs 9.18.47-r0 fixed in 9.18.49-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-3039	LOW2.29	bind-tools 9.18.47-r0 fixed in 9.18.49-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-5946	LOW2.29	bind-tools 9.18.47-r0 fixed in 9.18.49-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-50010	LOW2.29	io.netty:netty-handler 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42578	LOW2.29	io.netty:netty-handler-proxy 4.1.132.Final fixed in 4.1.133.Final, 4.2.13.Final	0.4% Theoretical Threat	Post-Exploit
CVE-2026-5947	LOW2.12	bind-tools 9.18.47-r0 fixed in 9.18.49-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2026-42583	NONE0	io.netty:netty-codec 4.1.132.Final fixed in 4.1.133.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-45205	NONE0	org.apache.commons:commons-configuration2 2.12.0 fixed in 2.15.0	0.5% Theoretical Threat	Not Applicable
CVE-2026-45300	NONE0	org.asynchttpclient:async-http-client 2.14.5 fixed in 3.0.10, 2.15.0	0.3% Theoretical Threat	Not Applicable