Vulnerability Reportopensearchproject/opensearch:3.5.0

opensearchproject/opensearch:3.5.0

DIGESTsha256:dbb01641baadae5104e18acd888bf05e8fdd9af3567fd30624a76ba3e5a31dec

Executive Summary

Threat ScoreDANGEROUS• 82 exposed vulnerabilities, 34 with severity ≥6.0 and 2 with severity ≥7.0, including a critical 8.33 severity.• CVE-2026-42581 (severity 8.33) enables HTTP request smuggling via conflicting headers, with high contextual importance as Netty handles all inbound HTTP.• Multiple other high-severity Netty vulnerabilities (CVE-2026-33870, CVE-2026-42587) allow request smuggling and denial of service, increasing attack surface.• Image is verified and from a trusted publisher, but the severity of exposed vulnerabilities overrides reputation.

85/100DANGEROUS

ReputationVERIFIED• Verified Publisher (Trusted Vendor)• Pinned by digest (Immutable)

TRUSTED

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could exploit CVE-2026-42581 to perform HTTP request smuggling, leading to data exposure, cache poisoning, or unauthorized actions. Multiple Netty vulnerabilities (e.g., CVE-2026-42581 and CVE-2026-33870) affect core request parsing and decompression, with no configuration required for exploitation. Upgrading to the latest Netty versions would fix these issues, but the current image is not safe for deployment.

Vulnerabilities

Vulnerability Log

109 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-42581	HIGH8.33	io.netty:netty-codec-http 4.1.130.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42581	HIGH8.33	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-39820	MEDIUM6.38	libcap 2.73-1.amzn2023.0.6 fixed in 2.73-1.amzn2023.0.7	0.4% Theoretical Threat	Directly Exposed
CVE-2026-41989	MEDIUM6.38	libgcrypt 1.10.2-1.amzn2023.0.2 fixed in 1.10.2-1.amzn2023.0.3	0.2% Theoretical Threat	Directly Exposed
CVE-2026-27135	MEDIUM6.38	libnghttp2 1.59.0-3.amzn2023.0.1 fixed in 1.59.0-3.amzn2023.0.2	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-3644	MEDIUM6.38	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.5	0.4% Theoretical Threat	Directly Exposed
CVE-2026-4224	MEDIUM6.38	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.6% Theoretical Threat	Directly Exposed
CVE-2026-44894	MEDIUM6.38	io.netty:netty-codec-classes-quic 4.2.9.Final fixed in 4.2.15.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-33870	MEDIUM6.38	io.netty:netty-codec-http 4.1.130.Final fixed in 4.1.132.Final, 4.2.10.Final	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http 4.1.130.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42585	MEDIUM6.38	io.netty:netty-codec-http 4.1.130.Final fixed in 4.2.13.Final, 4.1.133.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-33870	MEDIUM6.38	io.netty:netty-codec-http 4.2.9.Final fixed in 4.1.132.Final, 4.2.10.Final	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42585	MEDIUM6.38	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-33871	MEDIUM6.38	io.netty:netty-codec-http2 4.1.130.Final fixed in 4.1.132.Final, 4.2.11.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http2 4.1.130.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-48043	MEDIUM6.38	io.netty:netty-codec-http2 4.1.130.Final fixed in 4.1.135.Final, 4.2.15.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-33871	MEDIUM6.38	io.netty:netty-codec-http2 4.2.9.Final fixed in 4.1.132.Final, 4.2.11.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http2 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-48043	MEDIUM6.38	io.netty:netty-codec-http2 4.2.9.Final fixed in 4.1.135.Final, 4.2.15.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-48748	MEDIUM6.38	io.netty:netty-codec-http3 4.2.9.Final fixed in 4.2.15.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.1.130.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-50010	MEDIUM6.38	io.netty:netty-handler 4.1.130.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-50010	MEDIUM6.38	io.netty:netty-handler 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42578	MEDIUM6.38	io.netty:netty-handler-proxy 4.2.9.Final fixed in 4.1.133.Final, 4.2.13.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34478	MEDIUM6.38	org.apache.logging.log4j:log4j-core 2.25.3 fixed in 2.25.4	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34480	MEDIUM6.38	org.apache.logging.log4j:log4j-core 2.25.3 fixed in 2.25.4	0.9% Theoretical Threat	Directly Exposed
CVE-2026-5598	MEDIUM6.38	org.bouncycastle:bcprov-jdk18on 1.78.1 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2026-40542	MEDIUM6.21	org.apache.httpcomponents.client5:httpclient5 5.6 fixed in 5.6.1	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42584	MEDIUM6.18	io.netty:netty-codec-http 4.1.130.Final fixed in 4.2.13.Final, 4.1.133.Final	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42584	MEDIUM6.18	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-4786	MEDIUM6.03	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-1299	MEDIUM6.03	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.6% Theoretical Threat	Directly Exposed
CVE-2026-35554	MEDIUM5.78	org.apache.kafka:kafka-clients 4.1.1 fixed in 3.9.2, 4.0.2, 4.1.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9149	MEDIUM5.52	libsolv 0.7.22-1.amzn2023.0.2 fixed in 0.7.22-1.amzn2023.0.4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9150	MEDIUM5.52	libsolv 0.7.22-1.amzn2023.0.2 fixed in 0.7.22-1.amzn2023.0.4	0.4% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.5 fixed in 1:3.5.5-1.amzn2023.0.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	openssl-libs 1:3.2.2-1.amzn2023.0.5 fixed in 1:3.5.5-1.amzn2023.0.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.1.130.Final fixed in 4.1.133.Final, 4.2.13.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42580	MEDIUM5.52	io.netty:netty-codec-http 4.1.130.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.2.9.Final fixed in 4.1.133.Final, 4.2.13.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42580	MEDIUM5.52	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.78.1 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2026-28387	MEDIUM5.5	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.5 fixed in 1:3.5.5-1.amzn2023.0.4	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-28387	MEDIUM5.5	openssl-libs 1:3.2.2-1.amzn2023.0.5 fixed in 1:3.5.5-1.amzn2023.0.4	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-44249	MEDIUM5.5	io.netty:netty-handler 4.1.130.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-44249	MEDIUM5.5	io.netty:netty-handler 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-6019	MEDIUM5.18	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.6	0.2% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM5.1	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.5 fixed in 1:3.5.5-1.amzn2023.0.4	0.9% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-28388	MEDIUM5.1	openssl-libs 1:3.2.2-1.amzn2023.0.5 fixed in 1:3.5.5-1.amzn2023.0.4	0.9% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-40355	MEDIUM5.02	krb5-libs 1.21.3-6.amzn2023.0.1 fixed in 1.21.3-7.amzn2023.0.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-40356	MEDIUM5.02	krb5-libs 1.21.3-6.amzn2023.0.1 fixed in 1.21.3-7.amzn2023.0.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.5 fixed in 1:3.5.5-1.amzn2023.0.4	1.0% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	openssl-libs 1:3.2.2-1.amzn2023.0.5 fixed in 1:3.5.5-1.amzn2023.0.4	1.0% Theoretical Threat	Directly Exposed
CVE-2026-34477	MEDIUM5.02	org.apache.logging.log4j:log4j-core 2.25.3 fixed in 2.25.4	0.4% Theoretical Threat	Directly Exposed
CVE-2026-27142	MEDIUM4.59	libcap 2.73-1.amzn2023.0.6 fixed in 2.73-1.amzn2023.0.7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc 2.34-231.amzn2023.0.3 fixed in 2.34-231.amzn2023.0.4	0.4% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-common 2.34-231.amzn2023.0.3 fixed in 2.34-231.amzn2023.0.4	0.4% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-minimal-langpack 2.34-231.amzn2023.0.3 fixed in 2.34-231.amzn2023.0.4	0.4% Theoretical Threat	Directly Exposed
CVE-2026-50020	MEDIUM4.5	io.netty:netty-codec-http 4.1.130.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-50020	MEDIUM4.5	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-47244	MEDIUM4.5	io.netty:netty-codec-http2 4.1.130.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-50560	MEDIUM4.5	io.netty:netty-codec-http2 4.1.130.Final fixed in 4.2.15.Final, 4.1.135.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-47244	MEDIUM4.5	io.netty:netty-codec-http2 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-50560	MEDIUM4.5	io.netty:netty-codec-http2 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15282	MEDIUM4.08	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.5% Theoretical Threat	Directly Exposed
CVE-2026-0672	MEDIUM4.08	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.4% Theoretical Threat	Directly Exposed
CVE-2025-11468	LOW3.82	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.5% Theoretical Threat	Directly Exposed
CVE-2026-0865	LOW3.82	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.5% Theoretical Threat	Directly Exposed
CVE-2026-6357	LOW2.96	python3-pip-wheel 21.3.1-2.amzn2023.0.16 fixed in 21.3.1-2.amzn2023.0.19	0.1% Theoretical Threat	Post-Exploit
CVE-2026-4519	LOW2.8	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-2297	LOW2.8	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-48863	LOW2.7	libsolv 0.7.22-1.amzn2023.0.2 fixed in 0.7.22-1.amzn2023.0.4	—	Post-Exploit
CVE-2026-33557	LOW2.63	org.apache.kafka:kafka-clients 4.1.1 fixed in 4.1.2	0.5% Theoretical Threat	Post-Exploit
CVE-2026-6100	LOW2.48	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.5	0.5% Theoretical Threat	Post-Exploit
CVE-2026-6100	LOW2.48	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.5	0.5% Theoretical Threat	Post-Exploit
CVE-2025-15282	LOW2.45	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.5% Theoretical Threat	Post-Exploit
CVE-2026-0672	LOW2.45	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.4% Theoretical Threat	Post-Exploit
CVE-2025-54920	LOW2.41	org.apache.spark:spark-core_2.13 3.5.4 fixed in 4.0.1, 3.5.7	5.3% Low-Moderate Risk	Post-Exploit
CVE-2026-48864	LOW2.39	libsolv 0.7.22-1.amzn2023.0.2 fixed in 0.7.22-1.amzn2023.0.4	0.2% Theoretical Threat	Post-Exploit
CVE-2026-33811	LOW2.29	libcap 2.73-1.amzn2023.0.6 fixed in 2.73-1.amzn2023.0.7	0.5% Theoretical Threat	Post-Exploit
CVE-2026-33814	LOW2.29	libcap 2.73-1.amzn2023.0.6 fixed in 2.73-1.amzn2023.0.7	0.6% Theoretical Threat	Post-Exploit
CVE-2026-28389	LOW2.29	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.5 fixed in 1:3.5.5-1.amzn2023.0.4	0.8% Theoretical Threat	Post-Exploit
CVE-2026-28390	LOW2.29	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.5 fixed in 1:3.5.5-1.amzn2023.0.4	0.8% Theoretical Threat	Post-Exploit
CVE-2026-28389	LOW2.29	openssl-libs 1:3.2.2-1.amzn2023.0.5 fixed in 1:3.5.5-1.amzn2023.0.4	0.8% Theoretical Threat	Post-Exploit
CVE-2026-28390	LOW2.29	openssl-libs 1:3.2.2-1.amzn2023.0.5 fixed in 1:3.5.5-1.amzn2023.0.4	0.8% Theoretical Threat	Post-Exploit
CVE-2026-3644	LOW2.29	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-4224	LOW2.29	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.6% Theoretical Threat	Post-Exploit
CVE-2025-11468	LOW2.29	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.5% Theoretical Threat	Post-Exploit
CVE-2026-0865	LOW2.29	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.5% Theoretical Threat	Post-Exploit
CVE-2026-4786	LOW2.17	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.5	0.2% Theoretical Threat	Post-Exploit
CVE-2026-1299	LOW2.17	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.6% Theoretical Threat	Post-Exploit
CVE-2026-1703	LOW1.99	python3-pip-wheel 21.3.1-2.amzn2023.0.16 fixed in 21.3.1-2.amzn2023.0.17	0.4% Theoretical Threat	Post-Exploit
CVE-2026-3805	LOW1.93	curl-minimal 8.17.0-1.amzn2023.0.1 fixed in 8.17.0-1.amzn2023.0.3	0.7% Theoretical Threat	Post-Exploit
CVE-2026-3805	LOW1.93	libcurl-minimal 8.17.0-1.amzn2023.0.1 fixed in 8.17.0-1.amzn2023.0.3	0.7% Theoretical Threat	Post-Exploit
CVE-2026-6019	LOW1.87	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.6	0.2% Theoretical Threat	Post-Exploit
CVE-2026-4519	LOW1.68	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.2% Theoretical Threat	Post-Exploit
CVE-2026-2297	LOW1.68	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.2% Theoretical Threat	Post-Exploit
CVE-2026-39823	NONE0	libcap 2.73-1.amzn2023.0.6 fixed in 2.73-1.amzn2023.0.7	0.3% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	libcap 2.73-1.amzn2023.0.6 fixed in 2.73-1.amzn2023.0.7	0.6% Theoretical Threat	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.16.2 fixed in 2.21.1, 2.18.6	—	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.20.1 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec 4.1.130.Final fixed in 4.1.133.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-50009	NONE0	io.netty:netty-codec-classes-quic 4.2.9.Final fixed in 4.2.15.Final	0.2% Theoretical Threat	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec-compression 4.2.9.Final fixed in 4.2.13.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-42582	NONE0	io.netty:netty-codec-http3 4.2.9.Final fixed in 4.2.13.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-44892	NONE0	io.netty:netty-codec-http3 4.2.9.Final fixed in 4.2.15.Final	0.5% Theoretical Threat	Not Applicable
CVE-2026-8149	NONE0	org.bouncycastle:bc-fips 2.1.2 No fix yet	0.2% Theoretical Threat	Not Applicable