Apache Pinot 1.5.1
Apache Pinot 1.5.1 is a security patch release based on 1.5.0. It updates four dependencies to address the critical/high CVEs reported in #18593. There are no functional changes relative to 1.5.0 — only dependency version bumps.
Security fixes
| Dependency | 1.5.0 → 1.5.1 | CVEs addressed |
|---|---|---|
Netty (netty-bom)
| 4.1.122.Final → 4.1.134.Final
| CVE-2025-55163, CVE-2025-59419, CVE-2026-33870, CVE-2026-33871, CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587 |
| Log4j Core | 2.25.3 → 2.26.0
| CVE-2026-34478, CVE-2026-34479, CVE-2026-34480, CVE-2026-34481 |
| async-http-client | 3.0.7 → 3.0.10
| CVE-2026-45300 |
| Apache HttpClient 5 | 5.6 → 5.6.1
| CVE-2026-40542 |
Known issue (not fixed)
Jetty — CVE-2026-2332 (HTTP request smuggling) is not addressed in this release. The Jetty 9.4.x branch is end-of-life with no patch available (advisory GHSA-355h-qmc2-wpwf; only Jetty 12.0.33 / 12.1.7 are fixed). Jetty is a managed dependency for the optional Hadoop/Spark/Pulsar plugins only — Pinot's own HTTP layer uses Grizzly/Jersey — and closing the CVE requires a Jetty 9 → 12 migration, which is out of scope for a patch release.
Upgrade notes
This is a drop-in security update for 1.5.0. No configuration, API, or wire-format changes.