Hi @ivyTeam @IvyExperts ,
I am currently reviewing security vulnerabilities reported for Axon Ivy Engine 10.0.36 and would like to ask whether there are plans to patch or upgrade the affected dependencies in an upcoming release.
The following CVEs appear to originate from dependencies bundled with the Axon Ivy Engine/runtime.
Tomcat bundle (org.apache.tomcat:tomcat-catalina 9.0.117):
- CVE-2026-41293 (CRITICAL)
- CVE-2026-43512 (CRITICAL)
- CVE-2026-43515 (CRITICAL)
- CVE-2026-41284 (HIGH)
- CVE-2026-42498 (HIGH)
- CVE-2026-43513 (HIGH)
These seem related to the embedded Tomcat bundle shipped with the engine.
Can be upgraded to tomcat 9.0.118 to fix the CVEs as the current version bundled inside engine is 9.0.117
Additional engine/runtime dependencies:
org.codehaus.plexus:plexus-utils 3.6.0
org.hibernate:hibernate-core 5.4.33.Final
org.postgresql:postgresql 42.7.10
org.bouncycastle:bcpkix-jdk18on 1.78.1
org.bouncycastle:bcprov-jdk18on 1.78.1
CVE-2026-0636 (HIGH)
CVE-2026-5598 (HIGH)
Could you please clarify:
- Whether any of these CVEs are already patched/backported internally by Axon Ivy.
- Whether there is a planned engine release that upgrades these dependencies.
- If there is an ETA or recommended mitigation/workaround for customers in the meantime.
Thanks.
