Vulnerability Reportopensearchproject/opensearch:3.6.0

opensearchproject/opensearch:3.6.0
DIGESTsha256:b5dd1512af2a99748c942cfbbd7f32162623336b210667d0fc6333c6321f171d

Executive Summary

Threat Score
74/100CAUTION
Reputation
TRUSTED

This image carries significant risk; production deployment is highly discouraged without strict compensating controls. An attacker could exploit HTTP request smuggling (CVE-2026-42581) to poison caches or hijack sessions, while the response parsing bug (CVE-2026-42584) may enable data injection. Although the image is from a trusted vendor, the sheer number of exploitable vulnerabilities in the exposed surface demands caution.

Vulnerabilities

Vulnerability Log

53 total
CVE IDAdjusted SeverityPackageExploit ProbabilityRisk Context
CVE-2026-42581HIGH8.33
io.netty:netty-codec-http
4.1.132.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-42581HIGH8.33
io.netty:netty-codec-http
4.2.12.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-42584HIGH7.73
io.netty:netty-codec-http
4.1.132.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-42584HIGH7.73
io.netty:netty-codec-http
4.2.12.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-48863HIGH7.5
libsolv
0.7.22-1.amzn2023.0.2
fixed in 0.7.22-1.amzn2023.0.4
Directly Exposed
CVE-2026-44249MEDIUM6.88
io.netty:netty-handler
4.1.132.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-44249MEDIUM6.88
io.netty:netty-handler
4.2.12.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-48864MEDIUM6.63
libsolv
0.7.22-1.amzn2023.0.2
fixed in 0.7.22-1.amzn2023.0.4
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-33811MEDIUM6.38
libcap
2.73-1.amzn2023.0.6
fixed in 2.73-1.amzn2023.0.7
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-33814MEDIUM6.38
libcap
2.73-1.amzn2023.0.6
fixed in 2.73-1.amzn2023.0.7
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-39820MEDIUM6.38
libcap
2.73-1.amzn2023.0.6
fixed in 2.73-1.amzn2023.0.7
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-44894MEDIUM6.38
io.netty:netty-codec-classes-quic
4.2.12.Final
fixed in 4.2.15.Final
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-42587MEDIUM6.38
io.netty:netty-codec-http
4.1.132.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-42585MEDIUM6.38
io.netty:netty-codec-http
4.1.132.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-42587MEDIUM6.38
io.netty:netty-codec-http
4.2.12.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-42585MEDIUM6.38
io.netty:netty-codec-http
4.2.12.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-42587MEDIUM6.38
io.netty:netty-codec-http2
4.1.132.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-48043MEDIUM6.38
io.netty:netty-codec-http2
4.1.132.Final
fixed in 4.1.135.Final, 4.2.15.Final
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-42587MEDIUM6.38
io.netty:netty-codec-http2
4.2.12.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-48043MEDIUM6.38
io.netty:netty-codec-http2
4.2.12.Final
fixed in 4.1.135.Final, 4.2.15.Final
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-48748MEDIUM6.38
io.netty:netty-codec-http3
4.2.12.Final
fixed in 4.2.15.Final
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-45416MEDIUM6.38
io.netty:netty-handler
4.1.132.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-50010MEDIUM6.38
io.netty:netty-handler
4.1.132.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-45416MEDIUM6.38
io.netty:netty-handler
4.2.12.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-50010MEDIUM6.38
io.netty:netty-handler
4.2.12.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-42578MEDIUM6.38
io.netty:netty-handler-proxy
4.2.12.Final
fixed in 4.1.133.Final, 4.2.13.Final
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-34478MEDIUM6.38
org.apache.logging.log4j:log4j-core
2.25.3
fixed in 2.25.4
0.8%
Theoretical Threat
Directly Exposed
CVE-2026-34480MEDIUM6.38
org.apache.logging.log4j:log4j-core
2.25.3
fixed in 2.25.4
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-40542MEDIUM6.21
org.apache.httpcomponents.client5:httpclient5
5.6
fixed in 5.6.1
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-9149MEDIUM5.52
libsolv
0.7.22-1.amzn2023.0.2
fixed in 0.7.22-1.amzn2023.0.4
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-9150MEDIUM5.52
libsolv
0.7.22-1.amzn2023.0.2
fixed in 0.7.22-1.amzn2023.0.4
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-41417MEDIUM5.52
io.netty:netty-codec-http
4.1.132.Final
fixed in 4.1.133.Final, 4.2.13.Final
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-42580MEDIUM5.52
io.netty:netty-codec-http
4.1.132.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-41417MEDIUM5.52
io.netty:netty-codec-http
4.2.12.Final
fixed in 4.1.133.Final, 4.2.13.Final
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-42580MEDIUM5.52
io.netty:netty-codec-http
4.2.12.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-6019MEDIUM5.18
python3-libs
3.9.25-1.amzn2023.0.5
fixed in 3.9.25-1.amzn2023.0.6
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-34477MEDIUM5.02
org.apache.logging.log4j:log4j-core
2.25.3
fixed in 2.25.4
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-27142MEDIUM4.59
libcap
2.73-1.amzn2023.0.6
fixed in 2.73-1.amzn2023.0.7
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-50020MEDIUM4.5
io.netty:netty-codec-http
4.1.132.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-50020MEDIUM4.5
io.netty:netty-codec-http
4.2.12.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-47244MEDIUM4.5
io.netty:netty-codec-http2
4.1.132.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-50560MEDIUM4.5
io.netty:netty-codec-http2
4.1.132.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-47244MEDIUM4.5
io.netty:netty-codec-http2
4.2.12.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-50560MEDIUM4.5
io.netty:netty-codec-http2
4.2.12.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-6019LOW3.11
python3
3.9.25-1.amzn2023.0.5
fixed in 3.9.25-1.amzn2023.0.6
0.2%
Theoretical Threat
Post-Exploit
CVE-2026-39823NONE0
libcap
2.73-1.amzn2023.0.6
fixed in 2.73-1.amzn2023.0.7
0.3%
Theoretical Threat
Not Applicable
CVE-2026-42499NONE0
libcap
2.73-1.amzn2023.0.6
fixed in 2.73-1.amzn2023.0.7
0.6%
Theoretical Threat
Not Applicable
CVE-2026-42583NONE0
io.netty:netty-codec
4.1.132.Final
fixed in 4.1.133.Final
0.4%
Theoretical Threat
Not Applicable
CVE-2026-50009NONE0
io.netty:netty-codec-classes-quic
4.2.12.Final
fixed in 4.2.15.Final
0.2%
Theoretical Threat
Not Applicable
CVE-2026-42583NONE0
io.netty:netty-codec-compression
4.2.12.Final
fixed in 4.2.13.Final
0.4%
Theoretical Threat
Not Applicable
CVE-2026-42582NONE0
io.netty:netty-codec-http3
4.2.12.Final
fixed in 4.2.13.Final
0.4%
Theoretical Threat
Not Applicable
CVE-2026-44892NONE0
io.netty:netty-codec-http3
4.2.12.Final
fixed in 4.2.15.Final
0.5%
Theoretical Threat
Not Applicable
CVE-2026-8149NONE0
org.bouncycastle:bc-fips
2.1.2
No fix yet
0.2%
Theoretical Threat
Not Applicable