Security vulnerabilities(CVEs) and notable bug fixes in 26.0.0.6

Navaneeth S Nair on Jun 16, 2026

announcements , release ,

Post available in languages:

This GA release addresses significant security vulnerabilities and includes important bug fixes that enhance stability, improve performance, and deliver a smoother user experience. Additionally, we have introduced new guides to help users make the most of the platform.

In Open Liberty 26.0.0.6:

Security Vulnerability (CVE) Fixes
Notable bug fixes

Along with the new features and functions added to the runtime, we’ve also made updates to our guides.

View the list of fixed bugs in 26.0.0.6.

Check out previous Open Liberty GA release blog posts.

Develop and run your apps using 26.0.0.6

If you’re using Maven, include the following in your pom.xml file:

<plugin>
    <groupId>io.openliberty.tools</groupId>
    <artifactId>liberty-maven-plugin</artifactId>
    <version>3.12.0</version>
</plugin>

Or for Gradle, include the following in your build.gradle file:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:4.0.0'
    }
}
apply plugin: 'liberty'

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty

Or take a look at our Downloads page.

If you’re using IntelliJ IDEA, Visual Studio Code or Eclipse IDE, you can also take advantage of our open source Liberty developer tools to enable effective development, testing, debugging and application management all from within your IDE.

Security vulnerability (CVE) fixes in this release

CVE	CVSS Score	Vulnerability Assessment	Versions Affected	Notes
CVE-2026-4410	4.8	Denial of service	19.0.0.7-26.0.0.5	Affects the `sipServlet-1.1` feature
CVE-2026-5516	4.4	Denial of service	22.0.0.11-26.0.0.5	Affects the `appSecurity-3.0`, `appSecurity-4.0`, and `appSecurity-5.0` features

For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.

Notable bugs fixed in this release

We’ve spent some time fixing bugs. The following sections describe the issues resolved in this release. If you’re interested, here’s the full list of bugs fixed in 26.0.0.6.

New and updated guides since the previous release

As Open Liberty features and functionality continue to grow, we continue to add new guides to openliberty.io on those topics to make their adoption as easy as possible. Existing guides also receive updates to address any reported bugs/issues, keep their content current, and expand what their topic covers.

Enabling observability in microservices with traces, metrics, and logs using OpenTelemetry and Grafana

Learn how to enable the collection of traces, metrics, and logs from microservices by using MicroProfile Telemetry and the Grafana stack.
Adding custom tracing and metrics for microservice observability using OpenTelemetry and Grafana

Learn how to add manual instrumentation to collect custom spans in traces and custom metrics from microservices by using MicroProfile Telemetry and the Grafana stack.
Building a dynamic web application with integrated user interface and backend logic

Learn how to build a dynamic web application using Jakarta Faces, Jakarta Contexts and Dependency Injection, and Jakarta Expression Language.
Creating a multi-module application with Gradle

You will learn how to build an application with multiple modules with Gradle and Open Liberty.

Get Open Liberty 26.0.0.6 now

Available through Maven, Gradle, Docker, and as a downloadable archive.

See all blog posts