[RELEASE] Scylla CDC Source Connector v2.0.3

We’re happy to announce the v2.0.3 release of the Scylla CDC Source Connector. This is a patch release focused on security remediations.

Security Updates

Two HIGH severity vulnerabilities in netty-handler have been addressed by overriding the transitive netty dependency to 4.2.15.Final (#277):

• CVE-2026-44249 (CVSS 8.1): IpSubnetFilterRule.compareTo() performs an incorrect masking operation, allowing attackers to bypass IPv6 subnet ACL rules with crafted addresses.
• CVE-2026-45416 (CVSS 7.5): SslClientHelloHandler.decode() allocates up to 16 MiB of unpooled memory per TLS ClientHello when using SniHandler defaults, allowing a peer to trigger memory exhaustion (DoS) with a crafted handshake.

Links

• GitHub Release
• Full Changelog (v2.0.2 → v2.0.3)
• Download: scylla-cdc-source-connector-2.0.3-jar-with-dependencies.jar

If you have any questions or issues, please open a ticket on