KurrentDB

v26.0.3 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 20d Streaming & Message Queues

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

cqrs database event-sourcing event-store eventsourcing eventstore

Affected surfaces

deps breaking_upgrade

ReleasePort's take

Light signal

editorial:auto 13d

Release v26.0.3 of KurrentDB includes workarounds for CVE-2026-44302 and CVE-2026-44788.

Why it matters: Patch to v26.0.3 immediately if your deployment uses dependencies affected by CVE-2026-44302 or CVE-2026-44788 in SharpCompress.

Summary

AI summary

Workarounds for CVE-2026-44302 and CVE-2026-44788 are included in this release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Upgrade packages to patch CVEs Upgrade packages to patch CVEs Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Workaround CVE-2026-44302 Workaround CVE-2026-44302 Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Workaround CVE-2026-44788 in SharpCompress Workaround CVE-2026-44788 in SharpCompress Source: llm_adapter@2026-05-21 Confidence: low	—
Feature
Feature	Medium	Support appends conditional on other streams Support appends conditional on other streams Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Enable optimistic concurrency across stream boundaries Enable optimistic concurrency across stream boundaries Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Report all consistency check failures from core Report all consistency check failures from core Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Add support for ExpectedVersion.SoftDeleted Add support for ExpectedVersion.SoftDeleted Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Enable schema compatibility checking Enable schema compatibility checking Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Improve multi-stream append ordering and version reporting Improve multi-stream append ordering and version reporting Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Allow OAuth and LDAPS plugins to use standard configuration Allow OAuth and LDAPS plugins to use standard configuration Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Use server-generated node identity for pinned subscriptions Use server-generated node identity for pinned subscriptions Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Add option to skip PKCE code_challenge validation Add option to skip PKCE code_challenge validation Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Add created property to events in JavaScript projections Add created property to events in JavaScript projections Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Add DisableClientAuthEkuValidation option for node certificates Add DisableClientAuthEkuValidation option for node certificates Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Report sentinel event numbers for check-only streams Report sentinel event numbers for check-only streams Source: llm_adapter@2026-05-21 Confidence: high	—
Performance	Medium	Improve pinned persistent subscription performance under burst load Improve pinned persistent subscription performance under burst load Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix
Bugfix	Medium	Fix persistent subscription checkpoint bug in pinned strategy Fix persistent subscription checkpoint bug in pinned strategy Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Fix three JintProjectionStateHandler correctness bugs Fix three JintProjectionStateHandler correctness bugs Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Resolve daily memory and disk spikes on large databases Resolve daily memory and disk spikes on large databases Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Treat writes as idempotent when all events previously written Treat writes as idempotent when all events previously written Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Reply NotHandled when persistent subscriptions service not ready Reply NotHandled when persistent subscriptions service not ready Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Adjust consistency checks for deleted streams expected versions Adjust consistency checks for deleted streams expected versions Source: llm_adapter@2026-05-21 Confidence: high	—

Full changelog

What's Changed

Fixed

[release/v26.0] [DB-1962] Resolve daily memory/disk spike on large databases by @github-actions[bot] in https://github.com/kurrent-io/KurrentDB/pull/5558
[release/v26.0] [DB-1912] Persistent subscriptions: Fix wrong checkpoint when using pinned strategy by @github-actions[bot] in https://github.com/kurrent-io/KurrentDB/pull/5578
[DB-2085] Fix three JintProjectionStateHandler correctness bugs (#5610) by @timothycoleman in https://github.com/kurrent-io/KurrentDB/pull/5623

Changed

[release/v26.0] [DB-1923] Log useful information when interpreting auth plugin config files by @github-actions[bot] in https://github.com/kurrent-io/KurrentDB/pull/5510
[release/v26.0] [DB-1921] Add option to skip PKCE code_challenge_methods_supported validation by @github-actions[bot] in https://github.com/kurrent-io/KurrentDB/pull/5512
[release/v26.0] [DB-1840] Support appends conditional on other streams by @github-actions[bot] in https://github.com/kurrent-io/KurrentDB/pull/5513
[release/v26.0] [DB-1918] Report all consistency check failures out of the core by @github-actions[bot] in https://github.com/kurrent-io/KurrentDB/pull/5516
[26.0][DB-1929] Allow OAuth and Ldaps plugins to consume configuration from standard sources by @timothycoleman in https://github.com/kurrent-io/KurrentDB/pull/5515
[release/v26.0] [DB-1931] Add created property to events provided to JS projections by @github-actions[bot] in https://github.com/kurrent-io/KurrentDB/pull/5520
[release/v26.0] [DB-1940] Adjust consistency checks for expected version NoStream with soft and hard deleted streams by @github-actions[bot] in https://github.com/kurrent-io/KurrentDB/pull/5532
[release/v26.0] [DB-1938] Improve multi-stream append check-only streams: Ordering constraint & Version reporting by @github-actions[bot] in https://github.com/kurrent-io/KurrentDB/pull/5536
[release/v26.0][DB-1948] Add support for ExpectedVersion.SoftDeleted (#5540) by @timothycoleman in https://github.com/kurrent-io/KurrentDB/pull/5541
[release/v26.0][DEV-1036] Optimistic concurrency across stream boundaries by @w1am in https://github.com/kurrent-io/KurrentDB/pull/5542
[release/v26.0] [DB-1954] Add DisableClientAuthEkuValidation option for node certificate authentication by @github-actions[bot] in https://github.com/kurrent-io/KurrentDB/pull/5550
[release/v26.0] [DB-1951] Report sentinel event numbers for check-only streams in ConsistencyChecksSucceeded by @github-actions[bot] in https://github.com/kurrent-io/KurrentDB/pull/5564
[release/v26.0] [DB-1951] Add MSA idempotency tests that correspond to the existing behaviour by @github-actions[bot] in https://github.com/kurrent-io/KurrentDB/pull/5573
[release/v26.0] Enable schema compatibility checking by @github-actions[bot] in https://github.com/kurrent-io/KurrentDB/pull/5566
[release/v26.0] [DB-1951] Treat writes as idempotent if all events were previously written, even with check-only streams by @github-actions[bot] in https://github.com/kurrent-io/KurrentDB/pull/5577
[DB-2027] Cherry pick package upgrades for CVEs by @timothycoleman in https://github.com/kurrent-io/KurrentDB/pull/5612
[DB-2027] Improve pinned persistent subscription performance under burst load (#5576) by @timothycoleman in https://github.com/kurrent-io/KurrentDB/pull/5613
[release/v26.0] [DB-2044] Reply NotHandled when Persistent subscriptions service is not ready by @github-actions[bot] in https://github.com/kurrent-io/KurrentDB/pull/5596
[DB-2027][release/v26.0] Use server-generated Node identity in Persistent Subscription Pinned strategy by @github-actions[bot] in https://github.com/kurrent-io/KurrentDB/pull/5597
[DB-2098] Workaround CVE-2026-44302 by @timothycoleman in https://github.com/kurrent-io/KurrentDB/pull/5622
[DB-2098] Workaround CVE-2026-44788 SharpCompress by @timothycoleman in https://github.com/kurrent-io/KurrentDB/pull/5625

Full Changelog: https://github.com/kurrent-io/KurrentDB/compare/v26.0.2...v26.0.3

Security Fixes

CVE-2026-44302 — workaround implemented (DB-2098)
CVE-2026-44788 SharpCompress — workaround implemented (DB-2098)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track KurrentDB

Get notified when new releases ship.

About KurrentDB

KurrentDB is a database that's engineered for modern software applications and event-driven architectures. Its event-native design simplifies data modeling and preserves data integrity while the integrated streaming engine solves distributed messaging challenges and ensures data consistency.