Red Hat Product Errata RHSA-2026:22619 - Security Advisory
Issued:
2026-06-02
Updated:
2026-06-02

RHSA-2026:22619 - Security Advisory

Synopsis

Important: Red Hat Data Grid 8.6.1 security update

Type/Severity

Security Advisory: Important

Topic

An update for Red Hat Data Grid 8 is now available.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.

Data Grid 8.6.1 replaces Data Grid 8.6.0 and includes bug fixes and enhancements. Find out more about Data Grid 8.6.1 in the Release Notes[3].

Security Fix(es):

  • CVE-2026-33871 netty-codec-http: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood [jdg-8] (CVE-2026-33871)
  • CVE-2026-33870 netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values [jdg-8] (CVE-2026-33870)
  • CVE-2026-42043 axios: Axios: NO_PROXY bypass via crafted URL [jdg-8] (CVE-2026-42043)
  • CVE-2026-42041 axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling [jdg-8.6] (CVE-2026-42041)
  • CVE-2026-42039 axios: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data [jdg-8.6] (CVE-2026-42039)
  • CVE-2026-42033 axios: Axios: HTTP Transport Hijacking via Prototype Pollution [jdg-8.6] (CVE-2026-42033)
  • CVE-2026-40975 spring-boot: Spring Boot: Weak pseudo-random number generation can lead to information disclosure. [jdg-8.6] (CVE-2026-40975)
  • CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template imports [jdg-8.6] (CVE-2026-4800)
  • CVE-2026-41240 dompurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization [jdg-8.6] (CVE-2026-41240)
  • CVE-2026-34481 log4j-layout-template-json: Apache Log4j JsonTemplateLayout: Denial of Service via invalid JSON output [jdg-8.6] (CVE-2026-34481)
  • CVE-2026-34480 log4j-core: Apache Log4j Core: Invalid XML output causes denial of service in logging [jdg-8.6] (CVE-2026-34480)
  • CVE-2026-34478 log4j-core-test: Apache Log4j Core: Log injection via CRLF sequences due to configuration attribute renames [jdg-8.6] (CVE-2026-34478)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to: https://access.redhat.com/articles/11258

Affected Products

  • Red Hat JBoss Middleware 1 x86_64

Fixes

  • BZ - 2452453 - CVE-2026-33870 io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values
  • BZ - 2452456 - CVE-2026-33871 netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood
  • BZ - 2453496 - CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template imports
  • BZ - 2457321 - CVE-2026-34481 org.apache.logging.log4j: Apache Log4j JsonTemplateLayout: Denial of Service via invalid JSON output
  • BZ - 2457323 - CVE-2026-34478 org.apache.logging.log4j/log4j-core: Apache Log4j Core: Log injection via CRLF sequences due to configuration attribute renames
  • BZ - 2457328 - CVE-2026-34480 org.apache.logging.log4j/log4j-core: Apache Log4j Core: Invalid XML output causes denial of service in logging
  • BZ - 2461147 - CVE-2026-41240 DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization
  • BZ - 2461607 - CVE-2026-42033 axios: Axios: HTTP Transport Hijacking via Prototype Pollution
  • BZ - 2461626 - CVE-2026-42043 axios: Axios: NO_PROXY bypass via crafted URL
  • BZ - 2461629 - CVE-2026-42041 axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling
  • BZ - 2461630 - CVE-2026-42039 axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data
  • BZ - 2463331 - CVE-2026-40975 Spring Boot: Spring Boot: Weak pseudo-random number generation can lead to information disclosure.

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.