Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 3.6.0
Describe the issue : Latest opensearch 3.6.0 has critical vulneability on Netty Project 4.2.12.Final and Netty Project 4.2.7.Final. Below are the vulnerabilities. Is this vulnerabilities are planned for fix/resolution in upcoming June 9th(3.7.0) release.
CVE-2026-42581
Configuration : Blackduck reported vulnerabilities in opensearch package
Relevant Logs or Screenshots : Blackduck scan
pablo
June 2, 2026, 7:37pm
2
@nikhil.rathore According to this merge request, Netty has been updated to version 4.2.14. That will fix all the mentioned CVEs.
main ← reta:netty.4.2.14
opened 01:08AM - 21 May 26 UTC
### Description
Bump Netty to 4.2.14.Final
### Related Issues
N/A
### Ch… eck List
- [ ] Functionality includes testing.
- [ ] API changes companion pull request [created](https://github.com/opensearch-project/opensearch-api-specification/blob/main/DEVELOPER_GUIDE.md), if applicable.
- [ ] Public documentation issue/PR [created](https://github.com/opensearch-project/documentation-website/issues/new/choose), if applicable.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).
Also, it will be backported to version 3.6
3.6 ← reta:netty.4.2.14-3.6
opened 02:16AM - 21 May 26 UTC
Backport of https://github.com/opensearch-project/OpenSearch/pull/21772 to `3.6`