Two CVEs Patched: PostgreSQL JDBC DoS and BouncyCastle Private Key Leakage Fixed in Dependency Bump

Two critical security vulnerabilities have been addressed in a backport patch targeting core dependencies across the frontend, Java extensions, and filesystem broker components. The fixes resolve CVE-2026-42198 and CVE-2026-5598, both of which expose systems to serious attack vectors—one enabling denial-of-service, the other risking cryptographic private key disclosure.

The first vulnerability, CVE-2026-42198, affects the PostgreSQL JDBC driver (pgjdbc) versions 42.2.0 through 42.7.10. The flaw allows client-side denial-of-service attacks through unbounded SCRAM PBKDF2 iteration counts, potentially allowing an attacker to trigger resource exhaustion. The patch bumps the org.postgresql:postgresql dependency from 42.4.4 to 42.7.11 in the frontend pom.xml, with fe-core inheriting the corrected version. The second vulnerability, CVE-2026-5598, impacts BouncyCastle's bc-java library versions 1.71 through 1.83. The issue involves non-constant-time comparison in FrodoKEM implementations, creating a timing side-channel that could leak private cryptographic keys. The vulnerable bcprov-jdk18on version 1.82 was being pulled transitively through multiple data ecosystem dependencies including Hadoop, Hive, Iceberg, Paimon, Kudu, and Hudi.

The patch introduces a bouncycastle.version=1.84 property across parent poms and explicitly pins bcprov-jdk18on, bcpkix-jdk18on, and bcutil-jdk18on via dependency management to override transitive versions. This approach highlights a common supply-chain security challenge: critical vulnerabilities can propagate through deep dependency trees without maintainers' immediate awareness. Organizations running affected versions should prioritize this upgrade, particularly those exposing PostgreSQL connections or relying on BouncyCastle for post-quantum cryptographic operations. The transitive nature of the BouncyCastle vulnerability through major data processing frameworks suggests broad potential exposure across analytics infrastructure.