apache · cecemei · Apr 29, 2026 · Apr 28, 2026 · Apr 28, 2026 · Apr 28, 2026
diff --git a/extensions-core/druid-pac4j/pom.xml b/extensions-core/druid-pac4j/pom.xml
@@ -34,11 +34,11 @@
   </parent>
 
   <properties>
-    <pac4j.version>5.7.3</pac4j.version>
+    <pac4j.version>5.7.10</pac4j.version>
 
     <!-- Following must be updated along with any updates to pac4j version. One can find the compatible version of nimbus libraries in org.pac4j:pac4j-oidc dependencies-->
     <nimbus.lang.tag.version>1.7</nimbus.lang.tag.version>
-    <nimbus.jose.jwt.version>9.37.2</nimbus.jose.jwt.version>
+    <nimbus.jose.jwt.version>9.37.3</nimbus.jose.jwt.version>
     <oauth2.oidc.sdk.version>10.8</oauth2.oidc.sdk.version>
   </properties>
 

diff --git a/licenses.yaml b/licenses.yaml
@@ -877,7 +877,7 @@ name: pac4j-oidc java security library
 license_category: binary
 module: extensions/druid-pac4j
 license_name: Apache License version 2.0
-version: 5.7.3
+version: 5.7.10
 libraries:
   - org.pac4j: pac4j-oidc
 
@@ -887,7 +887,7 @@ name: pac4j-core java security library
 license_category: binary
 module: extensions/druid-pac4j
 license_name: Apache License version 2.0
-version: 5.7.3
+version: 5.7.10
 libraries:
   - org.pac4j: pac4j-core
 
@@ -897,7 +897,7 @@ name: pac4j-javaee java security library
 license_category: binary
 module: extensions/druid-pac4j
 license_name: Apache License version 2.0
-version: 5.7.3
+version: 5.7.10
 libraries:
   - org.pac4j: pac4j-javaee
 
@@ -918,7 +918,7 @@ name: com.nimbusds nimbus-jose-jwt
 license_category: binary
 module: extensions/druid-pac4j
 license_name: Apache License version 2.0
-version: 9.37.2
+version: 9.37.3
 libraries:
   - com.nimbusds: nimbus-jose-jwt
 
@@ -2000,7 +2000,7 @@ name: Apache Log4j
 license_category: binary
 module: java-core
 license_name: Apache License version 2.0
-version: 2.25.3
+version: 2.25.4
 libraries:
   - org.apache.logging.log4j: log4j-1.2-api
   - org.apache.logging.log4j: log4j-api
@@ -4042,7 +4042,7 @@ name: Rhino
 license_category: binary
 module: java-core
 license_name: Mozilla Public License Version 2.0
-version: 1.8.0
+version: 1.8.1
 copyright: Mozilla and individual contributors.
 license_file_path: licenses/bin/rhino.MPL2
 libraries:

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
@@ -148,6 +148,14 @@
     <cve>CVE-2025-5115</cve> <!-- netty issue in shaded hadoop -->
   </suppress>
 
+  <suppress>
+    <!-- from extensions using hadoop-client-runtime 3.5.0, these dependencies are shaded in the jar -->
+    <notes><![CDATA[
+     file name: hadoop-client-runtime-3.5.0.jar
+     ]]></notes>
+    <cve>CVE-2026-5795</cve> <!-- Jetty 9.4.58 JASPI ThreadLocal privilege escalation in shaded hadoop. Not exploitable in Druid's Hadoop client usage (file operations only, no JASPI auth). Requires Hadoop to update to Jetty 9.4.59+ -->
+  </suppress>
+
   <!-- those are false positives, no other tools report any of those CVEs in the hadoop package -->
   <suppress>
       <notes><![CDATA[
@@ -752,4 +760,12 @@
     ]]></notes>
     <vulnerabilityName>CVE-2024-11407</vulnerabilityName> <!-- This CVE is a false positive for java. The CVE is related to their cpp library, not java -->
   </suppress>
+
+  <suppress>
+    <notes><![CDATA[
+    file name: grpc-*.jar (all grpc-java artifacts, any version)
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.grpc/grpc-.*@.*$</packageUrl>
+    <cve>CVE-2026-33186</cve> <!-- Only applicable to gRPC Go (google.golang.org/grpc < 1.79.3), not gRPC Java - https://nvd.nist.gov/vuln/detail/CVE-2026-33186 -->
+  </suppress>
 </suppressions>
diff --git a/pom.xml b/pom.xml
@@ -106,7 +106,7 @@
         <jersey.version>1.19.4</jersey.version>
         <jackson.version>2.20.2</jackson.version>
         <codehaus.jackson.version>1.9.13</codehaus.jackson.version>
-        <log4j.version>2.25.3</log4j.version>
+        <log4j.version>2.25.4</log4j.version>
         <mysql.version>8.2.0</mysql.version>
         <mariadb.version>2.7.3</mariadb.version>
         <netty3.version>3.10.6.Final</netty3.version>
@@ -683,12 +683,12 @@
             <dependency>
                 <groupId>org.mozilla</groupId>
                 <artifactId>rhino</artifactId>
-                <version>1.8.0</version>
+                <version>1.8.1</version>
             </dependency>
             <dependency>
                 <groupId>org.mozilla</groupId>
                 <artifactId>rhino-engine</artifactId>
-                <version>1.8.0</version>
+                <version>1.8.1</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.commons</groupId>