This release includes 7 security fixes for security teams reviewing exposed deployments.
Topics
+13 more
Affected surfaces
ReleasePort's take
Moderate signalMultiple dependencies (ffmpeg, python‑liquid, authlib, idna, libcap2, npm, pip) must be upgraded to specific patched versions to address high‑severity CVEs in this release.
Why it matters: CVE severity is critical; all listed dependencies require immediate upgrade to the specified patched versions to prevent exploitation.
Summary
AI summaryUpdates Bug Fixes, Chores, and Continuous Integration across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Critical |
Bump ffmpeg to 7.1.4 for CVE-2026-40962. Bump ffmpeg to 7.1.4 for CVE-2026-40962. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Security | Critical |
Bump python‑liquid to 2.2.0 for CVE-2026-45017. Bump python‑liquid to 2.2.0 for CVE-2026-45017. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Security | Critical |
Bump authlib to 1.6.12+ for CVE-2026-41425 and additional CVEs. Bump authlib to 1.6.12+ for CVE-2026-41425 and additional CVEs. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Security | Critical |
Bump idna to 3.15 for CVE-2026-45409. Bump idna to 3.15 for CVE-2026-45409. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Security | Critical |
Pin libcap2 to 1:2.75-10+deb13u1+b1 for CVE‑2026 vulnerability. Pin libcap2 to 1:2.75-10+deb13u1+b1 for CVE‑2026 vulnerability. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Security | Critical |
Bump npm to 11.15.0 for CVE-2026-42338 and additional CVEs. Bump npm to 11.15.0 for CVE-2026-42338 and additional CVEs. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Security | Critical |
Upgrade pip to 26.1+ for CVE-2026-6357 and additional CVEs. Upgrade pip to 26.1+ for CVE-2026-6357 and additional CVEs. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Feature | Low |
Release version 1.26.1 of the software. Release version 1.26.1 of the software. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Feature | Low |
Bump UI version to ui‑v2.11.3. Bump UI version to ui‑v2.11.3. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Dependency | Low |
Bump mako to 1.3.12 for security vulnerabilities. Bump mako to 1.3.12 for security vulnerabilities. Source: llm_adapter@2026-05-26 Confidence: high |
— |
Full changelog
Bug Fixes
cc1a845bump mako to 1.3.12 for security vulnerabilities … (#1554) (Hugo Paré)852d0e6bump ffmpeg to 7.1.4 for CVE-2026-40962 (#1556) (Hugo Paré)35c0b14bump python-liquid to 2.2.0 for CVE-2026-45017 (#… (#1557) (Hugo Paré)ea29b0dbump authlib to 1.6.12+ for CVE-2026-41425, CVE-2… (#1559) (Hugo Paré)d5a2c31bump idna to 3.15 for CVE-2026-45409 (#1560) (Hugo Paré)3cb0c3cpin libcap2 to 1:2.75-10+deb13u1+b1 for CVE-2026-… (#1558) (Hugo Paré)59768b9bump npm to 11.15.0 for CVE-2026-42338, CVE-2026-… (#1561) (Hugo Paré)
Continuous Integration
eefa7d2bump version to ui-v2.11.3 [skip ci] (Automated Version Bump)
Chores
UI Changes up to ui-v2.11.3
Bug Fixes
Security Fixes
- CVE-2026-40962 – bump ffmpeg to 7.1.4
- CVE-2026-45017 – bump python-liquid to 2.2.0
- CVE-2026-41425, CVE-2026-??? – bump authlib to 1.6.12+ (details in commit ea29b0d)
- CVE-2026-45409 – bump idna to 3.15
- CVE-2026-??? – pin libcap2 to 1:2.75-10+deb13u1+b1 (commit d5a2c31)
- CVE-2026-42338, CVE-2026-??? – bump npm to 11.15.0 (commit 59768b9)
- CVE-2026-6357, CVE-2026-??? – upgrade pip to 26.1+ in UI (commit 35ff2d1)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About solace-agent-mesh
An event-driven framework designed to build and orchestrate multi-agent AI systems. It enables seamless integration of AI agents with real-world data sources and systems, facilitating complex, multi-step workflows.
Beta — feedback welcome: [email protected]