Hi everyone,
We’re happy to announce the release of Kafka Connect ScyllaDB Sink Connector v1.1.7.
This is a patch release focused on security remediations and ScyllaDB 2026.x compatibility.
What’s Changed
Security
- CVE-2026-54512 (jackson-databind, CVSS 8.1):
PolymorphicTypeValidatorallow-list bypass — a denied class can be smuggled in as a generic type parameter of an allowed container (e.g.java.util.ArrayList<com.evil.Gadget>), enabling deserialization of untrusted classes. Fixed by bumping jackson to 2.21.5 (#194, #198). - CVE-2026-54513 (jackson-databind, CVSS 8.1):
allowIfSubTypeIsArray()allow-lists any array type without validating the component type, bypassing the PTV allow-list. Fixed by bumping jackson to 2.21.5 (#194, #198). - CVE-2026-54514 / 54515 / 54516 / 54517 / 54518 (jackson-databind, MEDIUM): eager DNS resolution during deserialization, plus
@JsonIgnoreProperties,@JsonIgnore, and@JsonView/@JsonUnwrappedfilter bypasses. Fixed by bumping jackson to 2.21.5 (#194, #198). - CVE-2026-44249 (Netty, CVSS 8.1):
IpSubnetFilterRule.compareTo()performs an incorrect masking operation, allowing attackers to bypass IPv6 subnet ACL rules with valid public IP addresses. Fixed transitively via the ScyllaDB Java Driver 4.19.2.0 (netty 4.1.135.Final) (#167). - CVE-2026-45416 (Netty, CVSS 7.5):
SslClientHelloHandler.decode()eagerly allocates up to 16 MiB of unpooled memory per TLS ClientHello underSniHandlerdefaults, allowing memory-exhaustion DoS. Fixed transitively via the ScyllaDB Java Driver 4.19.2.0 (netty 4.1.135.Final) (#167). - CVE-2026-50010 (Netty, CVSS 7.5): improper trust-manager handling disables TLS hostname verification in some configurations, enabling MITM. Fixed transitively via the ScyllaDB Java Driver 4.19.2.0 (netty 4.1.135.Final) (#167).
Compatibility
- ScyllaDB 2026.x support: keyspace creation now uses
NetworkTopologyStrategyinstead ofSimpleStrategy(#192).
Dependencies
- ScyllaDB Java Driver updated to 4.19.2.0 (#167).
Who should upgrade
This release is recommended for all users, particularly those whose connectors are reachable from untrusted network peers, use TLS with SNI routing, or run on ScyllaDB 2026.x .
Links
- Full Changelog: Comparing 1.1.6…1.1.7
- GitHub Release: Release 1.1.7
As always, feel free to report any issues on GitHub.