Hello,
We were conducting a security review and identified that version 5.0.4 of Openfire is using Netty version 4.1.131.Final, as confirmed in the project’s pom.xml file.
This version of Netty is known to be vulnerable to at least two publicly disclosed CVEs:
-
CVE-2026-33870 (High Severity - HTTP Request Smuggling)
-
CVE-2026-33871 (High Severity - Denial of Service attack)
Both of these vulnerabilities are officially patched in Netty version 4.1.132.Final.
Would it be possible to update this core dependency in a future release to mitigate these security risks?