Title
confluent-kafka 2.14.2 / librdkafka 2.14.2 appears to pull vulnerable OpenSSL 3.5.6
Summary
Our dependency scan reports the following chain:
confluent-kafka 2.14.2 -> librdkafka 2.14.2 -> OpenSSL 3.5.6
The reported OpenSSL version is flagged for these CVEs:
CVE-2026-34180, CVE-2026-34181, CVE-2026-34183, CVE-2026-42764, CVE-2026-42766, CVE-2026-42767, CVE-2026-42769, CVE-2026-42770, CVE-2026-45445, CVE-2026-45446, CVE-2026-45447, CVE-2026-7383, CVE-2026-9076
We are using:
confluent-kafka==2.14.2- runtime
librdkafka==2.14.2
Please confirm whether the distributed confluent-kafka artifacts for 2.14.2 bundle or otherwise depend on OpenSSL 3.5.6, and if so, please publish a fix by updating to a non-vulnerable OpenSSL version.
Requested action
- Confirm the OpenSSL version used by
confluent-kafka 2.14.2 / librdkafka 2.14.2
- Clarify affected platforms, wheels, or packages
- Release an updated version with the OpenSSL CVEs remediated
Title
confluent-kafka 2.14.2 / librdkafka 2.14.2 appears to pull vulnerable OpenSSL 3.5.6
Summary
Our dependency scan reports the following chain:
confluent-kafka 2.14.2 -> librdkafka 2.14.2 -> OpenSSL 3.5.6The reported OpenSSL version is flagged for these CVEs:
CVE-2026-34180,CVE-2026-34181,CVE-2026-34183,CVE-2026-42764,CVE-2026-42766,CVE-2026-42767,CVE-2026-42769,CVE-2026-42770,CVE-2026-45445,CVE-2026-45446,CVE-2026-45447,CVE-2026-7383,CVE-2026-9076We are using:
confluent-kafka==2.14.2librdkafka==2.14.2Please confirm whether the distributed
confluent-kafkaartifacts for2.14.2bundle or otherwise depend onOpenSSL 3.5.6, and if so, please publish a fix by updating to a non-vulnerable OpenSSL version.Requested action
confluent-kafka 2.14.2/librdkafka 2.14.2