[RELEASE] Kafka Connect ScyllaDB Sink Connector v1.1.7

Hi everyone,

We’re happy to announce the release of Kafka Connect ScyllaDB Sink Connector v1.1.7.
This is a patch release focused on security remediations and ScyllaDB 2026.x compatibility.

What’s Changed

Security

  • CVE-2026-54512 (jackson-databind, CVSS 8.1): PolymorphicTypeValidator allow-list bypass — a denied class can be smuggled in as a generic type parameter of an allowed container (e.g. java.util.ArrayList<com.evil.Gadget>), enabling deserialization of untrusted classes. Fixed by bumping jackson to 2.21.5 (#194, #198).
  • CVE-2026-54513 (jackson-databind, CVSS 8.1): allowIfSubTypeIsArray() allow-lists any array type without validating the component type, bypassing the PTV allow-list. Fixed by bumping jackson to 2.21.5 (#194, #198).
  • CVE-2026-54514 / 54515 / 54516 / 54517 / 54518 (jackson-databind, MEDIUM): eager DNS resolution during deserialization, plus @JsonIgnoreProperties, @JsonIgnore, and @JsonView/@JsonUnwrapped filter bypasses. Fixed by bumping jackson to 2.21.5 (#194, #198).
  • CVE-2026-44249 (Netty, CVSS 8.1): IpSubnetFilterRule.compareTo() performs an incorrect masking operation, allowing attackers to bypass IPv6 subnet ACL rules with valid public IP addresses. Fixed transitively via the ScyllaDB Java Driver 4.19.2.0 (netty 4.1.135.Final) (#167).
  • CVE-2026-45416 (Netty, CVSS 7.5): SslClientHelloHandler.decode() eagerly allocates up to 16 MiB of unpooled memory per TLS ClientHello under SniHandler defaults, allowing memory-exhaustion DoS. Fixed transitively via the ScyllaDB Java Driver 4.19.2.0 (netty 4.1.135.Final) (#167).
  • CVE-2026-50010 (Netty, CVSS 7.5): improper trust-manager handling disables TLS hostname verification in some configurations, enabling MITM. Fixed transitively via the ScyllaDB Java Driver 4.19.2.0 (netty 4.1.135.Final) (#167).

Compatibility

  • ScyllaDB 2026.x support: keyspace creation now uses NetworkTopologyStrategy instead of SimpleStrategy (#192).

Dependencies

  • ScyllaDB Java Driver updated to 4.19.2.0 (#167).

Who should upgrade

This release is recommended for all users, particularly those whose connectors are reachable from untrusted network peers, use TLS with SNI routing, or run on ScyllaDB 2026.x .

Links

As always, feel free to report any issues on GitHub.