• [fix][sec] Upgrade BouncyCastle to 1.84 (CVE-2026-5588, CVE-2026-0636) (#25569)
• [fix][sec] Upgrade Jetty to address CVE-2026-2332 (#25527)
• [fix][sec] Upgrade Jetty to address CVE-2026-5795 (#25532)
• [fix][sec] Upgrade to async-http-client 2.14.5 to address CVE-2026-40490 (#25546)
• [fix][sec] Upgrade to Netty 4.1.132.Final to address CVEs (#25399)
• [fix][sec] Upgrade log4j to 2.25.4 to address CVE-2026-34477, CVE-2026-34478, CVE-2026-34480, CVE-2026-34481
• [fix] Upgrade Jetty to 12.1.6 to fix CVE-2026-1605 (#25485)

• [fix][broker] Change the schema incompatible log from ERROR to WARN level (#25483)
• [fix][broker] Fix backlog clearing for unloaded namespace bundles (#25272)
• [fix][broker] Lower log level of DrainingHashesTracker not-found entry to DEBUG (#25558)
• [fix][broker] Prevent timed-out producer creation from racing with retry (#25460)
• [fix][broker] pulsar admin stats internal with metadata command (#25557)
• [fix][broker] Revert "[improve][broker] Enhance advertised address resolution with fallback to localhost (#25238)" (#25523)
• [fix][broker] Unthrottle producers immediately when publish rate limiting is disabled (#25502)
• [fix][broker]Namespaces can be created with may empty replication_clusters policy (#25551)
• [fix][admin] Refactor namespace migration operation to async in rest api (#25478)
• [improve][broker] Close connection when close consumer write fails (#25520)
• [improve][broker] Use full bundle name for namespace bundle destination affinity in ModularLoadManagerImpl (#25518)

• [fix][client] Fix thread-safety and refactor MessageCryptoBc key management (#25400)

• [fix][io] Restore lz4 compression with Kafka IO connector after #25198 exclusion

• [improve][common] Optimize TopicName.get() to reduce lock contention on cache lookup (#25367)
• [improve][broker] Improve the performance of TopicName constructor (#24463)

• [fix][ci] Ensure discard_max_bytes is set to 0 only for existing block devices (#25510)
• [fix][test] Extend SameAuthParamsLookupAutoClusterFailoverTest phase timeouts (#25563)
• [fix][test] Fix flaky BrokerRegistryIntegrationTest port binding race (#25463)
• [fix][test] Fix flaky ExtensibleLoadManagerImpl client reconnection tests: PulsarClientException$AlreadyClosedException: Client already closed (#25509)
• [fix][test] Fix flaky ExtensibleLoadManagerTest.startBroker timeout (#25500)
• [fix][test] Fix flaky OffloadPrefixTest.testPositionOnEdgeOfLedger race with ledger rollover (#25561)
• [fix][test] Fix flaky ServerCnxTest.testCreateProducerTimeoutThenCreateSameNamedProducerShouldFail (#25497)
• [fix][test] Fix flaky testLoadBalancerServiceUnitTableViewSyncer (#25427)
• [fix][test] Flaky SameAuthParamsLookupAutoClusterFailoverTest (#25566)
• [fix][test] Recreate EventLoop in PublishRateLimiterTest setup (#25560)
• [fix][test] Relax BrokerRegistryIntegrationTest broker-close threshold (#25562)
• [improve][ci] Cleanup tune-runner-vm and clean-disk actions (#25444)
• [cleanup][ci] Remove documentation label bot (#25469)
• [cleanup][ci] Remove ready-to-test label enforcement (#25470)
• [cleanup][build] Bumped version to 4.2.1-SNAPSHOT
• [fix][build][branch-4.2] Use correct Jetty ee8 BOM coordinates
• [improve][ci] Backport fix for ssh-access action

For the complete list, check the full changelog.

This release upgrades Jetty from 9.4.x to 12.1.8 to address several high-severity CVEs in Jetty 9.4.x (#25534). For background and discussion, see the dev list thread.

The upgrade introduces the following breaking changes:

1. AdditionalServlet interface change. The org.apache.pulsar.broker.web.plugin.servlet.AdditionalServlet interface was coupled directly to the Jetty 9 org.eclipse.jetty.servlet.ServletHolder class. This coupling has been removed, so external implementations of this plugin API need to be updated.

2. Athenz authentication requires Java 17+. pulsar-client-auth-athenz now depends on Jetty and therefore requires Java 17+. The Pulsar Client and Pulsar Admin client themselves remain Java 8+ compatible.

3. Prometheus metrics provider class relocation. The default Prometheus metrics provider classes for BookKeeper and ZooKeeper have been replaced because the previous defaults depended on Jetty 9.4.x. If you are using the previous default configuration file in your deployment, update the following settings:

   Config file	Setting	Old value	New value
   bookkeeper.conf	statsProviderClass	org.apache.bookkeeper.stats.prometheus.PrometheusMetricsProvider	org.apache.pulsar.metrics.prometheus.bookkeeper.PrometheusMetricsProvider
   zookeeper.conf	metricsProvider.className	org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider	org.apache.pulsar.metrics.prometheus.zookeeper.PrometheusMetricsProvider

• [fix][sec] Upgrade BouncyCastle to 1.84 (CVE-2026-5588, CVE-2026-0636) (#25569)
• [fix][sec] Upgrade to async-http-client 2.14.5 to address CVE-2026-40490 (#25546)
• [fix][sec] Upgrade to Netty 4.1.132.Final to address CVEs (#25399)
• [fix][sec] Bump google.golang.org/grpc from 1.60.0 to 1.79.3 in /pulsar-function-go (#25353)
• [fix][sec] Bump org.apache.zookeeper:zookeeper from 3.9.4 to 3.9.5 (#25303)
• [fix][sec] Upgrade aircompressor to 2.0.3 to resolve CVE-2025-67721 (#25256)
• [fix][sec] Upgrade Jackson version to 2.18.6 (#25264)
• [fix][sec] Upgrade Python protobuf version to 6.33.5 to address CVE-2026-0994 (#25250)
• [fix][sec][branch-4.0] Upgrade to Jetty 12.1.8 to address several CVEs (#25534)
• [improve][fn] Upgrade Pulsar Python client version to 3.10.0 (#25251)
• [fix][sec] Upgrade log4j to 2.25.4 to address CVE-2026-34477, CVE-2026-34478, CVE-2026-34480, CVE-2026-34481
• [improve] Upgrade RoaringBitmap to 1.6.9 version (#25253)

• [fix][broker] Change the schema incompatible log from ERROR to WARN level (#25483)
• [fix][broker] Fix backlog clearing for unloaded namespace bundles (#25272)
• [fix][broker] Lower log level of DrainingHashesTracker not-found entry to DEBUG (#25558)
• [fix][broker] Prevent timed-out producer creation from racing with retry (#25460)
• [fix][broker] pulsar admin stats internal with metadata command (#25557)
• [fix][broker] Unthrottle producers immediately when publish rate limiting is disabled (#25502)
• [fix][broker]Namespaces can be created with may empty replication_clusters policy (#25551)
• [fix][admin] Refactor namespace migration operation to async in rest api (#25478)
• [improve][broker] Close connection when close consumer write fails (#25520)
• [improve][broker] Use full bundle name for namespace bundle destination affinity in ModularLoadManagerImpl (#25518)
• [fix][broker] Fix concurrency bug in BucketDelayedDeliveryTracker (#25346)
• [fix][broker] Fix ExtensibleLoadManagerImpl stuck Assigning bundle state after broker restart (#25379)
• [fix][broker] fix flaky test in SystemTopicBasedTopicPoliciesServiceTest (#25098)
• [fix][broker] Fix IllegalArgumentException in BucketDelayedDeliveryTracker.addMessage (#25371)
• [fix][broker] Fix race condition in ServerCnx producer/consumer async callbacks (#25352)
• [fix][broker] Guard AsyncTokenBucket against long overflow (#25262)
• [fix][broker] Handle missing replicator during snapshot request processing (#25266)
• [fix][broker] Return failed future instead of throwing exception in async methods (#25289)
• [fix][broker] Support namespace unsubscribe when bundles are unloaded (#25276)
• [fix][broker]Producer with AUTO_PRODUCE schema failed to reconnect, which caused by schema incompatible (#25437)
• [fix][broker]system topic was created with different partitions acrossing clusters after enabled namespace-level replication (#25312)
• [fix][admin] Refactor namespace anti affinity group sync operations to async in rest api (#25086)
• [fix][offload] Close all resources in BlobStoreBackedReadHandleImplV2.closeAsync (#25296)
• [improve][broker] Change log level from warn to debug when cursor mark-deleted position ledger doesn't exist (#25200)
• [improve][broker] Optimize AsyncTokenBucket overflow solution further to reduce fallback to BigInteger (#25269)
• [improve][broker]Reduce the lock range of SimpleCache to enhance performance (#25293)
• [refactor][broker] Decouple delayed delivery trackers from dispatcher (#25384)

• [fix][client] Fix thread-safety and refactor MessageCryptoBc key management (#25400)
• [fix][client] Fail messages immediately in ProducerImpl when in terminal state (#25317)
• [fix][client] Fix async APIs to return failed futures on validation errors (#25287)
• [fix][client] Reduce logging in OAuth auth to fix parsing of Pulsar cli command output (#25254)
• [improve][client][branch-4.0] Deduplicate in-progress lookup requests also for HttpLookupService (#25017)

• [fix][io][kca] kafka headers silently dropped (#25325)
• [fix][io] Restore lz4 compression with Kafka IO connector after #25198 exclusion

• [improve][common] Optimize TopicName.get() to reduce lock contention on cache lookup (#25367)
• [improve][broker] Improve the performance of TopicName constructor (#24463)
• [feat][bookkeeper] add certs refresh (#25370)

• [fix][ci] Ensure discard_max_bytes is set to 0 only for existing block devices (#25510)
• [fix][test] Extend SameAuthParamsLookupAutoClusterFailoverTest phase timeouts (#25563)
• [fix][test] Fix flaky BrokerRegistryIntegrationTest port binding race (#25463)
• [fix][test] Fix flaky ExtensibleLoadManagerImpl client reconnection tests: PulsarClientException$AlreadyClosedException: Client already closed (#25509)
• [fix][test] Fix flaky ExtensibleLoadManagerTest.startBroker timeout (#25500)
• [fix][test] Fix flaky OffloadPrefixTest.testPositionOnEdgeOfLedger race with ledger rollover (#25561)
• [fix][test] Fix flaky ServerCnxTest.testCreateProducerTimeoutThenCreateSameNamedProducerShouldFail (#25497)
• [fix][test] Fix flaky testLoadBalancerServiceUnitTableViewSyncer (#25427)
• [fix][test] Flaky SameAuthParamsLookupAutoClusterFailoverTest (#25566)
• [fix][test] Recreate EventLoop in PublishRateLimiterTest setup (#25560)
• [fix][test] Relax BrokerRegistryIntegrationTest broker-close threshold (#25562)
• [improve][ci] Cleanup tune-runner-vm and clean-disk actions (#25444)
• [cleanup][ci] Remove documentation label bot (#25469)
• [cleanup][ci] Remove ready-to-test label enforcement (#25470)
• [fix][ci] Disable trivy-action (#25373)
• [fix][ci] Fix .github/actions/ssh-access which is used for debugging Pulsar CI in forks (#25075)
• [fix][test] Fix flaky ExtensibleLoadManagerImplTest.testLoadBalancerServiceUnitTableViewSyncer (#25378)
• [fix][test] Fix flaky OneWayReplicatorUsingGlobalZKTest cleanup (#25313)
• [fix][test] Fix flaky OneWayReplicatorUsingGlobalZKTest.cleanup (#25389)
• [fix][test] Fix flaky PersistentStickyKeyDispatcherMultipleConsumersClassicTest.testSkipRedeliverTemporally (#25385)
• [fix][test] Fix flaky PulsarDebeziumOracleSourceTest (#25314)
• [fix][test] Fix flaky ReplicatorTest.testResumptionAfterBacklogRelaxed (#25358)
• [fix][test] Fix flaky SingleThreadNonConcurrentFixedRateSchedulerTest.testPeriodicTaskCancellation (#24823)
• [fix][test] Stabilize FunctionAssignmentTailerTest.testErrorNotifier by synchronizing mock stubbing with CountDownLatch (#24875)
• [fix] Fix flaky OneWayReplicatorTest.testTopicPoliciesReplicationRule (#25316)
• [fix] Fix flaky testEstimatedTimeBasedBacklogQuotaCheckWhenNoBacklog (#25307)
• [cleanup][build] Bumped version to 4.0.10-SNAPSHOT
• [fix][build] Fix license file for shell distribution
• [fix][build][branch-4.0] Fix broken compilation after cherry-picking #25400
• [fix][build][branch-4.0] Fix missing exclusion in cherry-picking #25264
• [fix][test][branch-4.0] Backport Pulsar IO Debezium connector test framework changes
• [improve][build][branch-4.0] Support docker.golang.image/GOLANG_IMAGE in latest-version-image
• [improve][ci] Backport fix for ssh-access action

For the complete list, check the full changelog.

• [fix][sec] Upgrade BouncyCastle to 1.84 (CVE-2026-5588, CVE-2026-0636) (#25569)
• [fix][sec] Upgrade to async-http-client 2.14.5 to address CVE-2026-40490 (#25546)
• [fix][sec] Upgrade to Netty 4.1.132.Final to address CVEs (#25399)
• [fix][sec] Bump org.apache.zookeeper:zookeeper from 3.9.4 to 3.9.5 (#25303)
• [fix][sec] Upgrade aircompressor to 2.0.3 to resolve CVE-2025-67721 (#25256)
• [fix][sec] Upgrade Jackson version to 2.18.6 (#25264)
• [fix][sec] Upgrade Python protobuf version to 6.33.5 to address CVE-2026-0994 (#25250)
• [improve][fn] Upgrade Pulsar Python client version to 3.10.0 (#25251)
• [fix][sec] Exclude org.lz4:lz4-java and standardize on at.yawk.lz4-java to remediate CVE-2025-12183 and CVE-2025-66566 (#25198)
• [fix][sec] Override kafka-clients in kinesis-kpl-shaded to remediate CVE-2024-31141 and CVE-2025-27817 (#24935)
• [fix][sec] Upgrade log4j to 2.25.4 to address CVE-2026-34477, CVE-2026-34478, CVE-2026-34480, CVE-2026-34481 (#25521)
• [fix][sec]Upgrade jackson to 2.17.2 (#23174)
• [improve] Upgrade Netty to 4.1.131.Final (#25232)

• [improve][broker] Close connection when close consumer write fails (#25520)

• [fix][client] Fail messages immediately in ProducerImpl when in terminal state (#25317)

• [fix][io] Restore lz4 compression with Kafka IO connector after #25198 exclusion

• [improve][common] Optimize TopicName.get() to reduce lock contention on cache lookup (#25367)
• [improve][broker] Improve the performance of TopicName constructor (#24463)

• [improve][ci] Cleanup tune-runner-vm and clean-disk actions (#25444)
• [cleanup][ci] Remove documentation label bot (#25469)
• [cleanup][ci] Remove ready-to-test label enforcement (#25470)
• [fix][ci] Fix .github/actions/ssh-access which is used for debugging Pulsar CI in forks (#25075)
• [fix][test] Stabilize FunctionAssignmentTailerTest.testErrorNotifier by synchronizing mock stubbing with CountDownLatch (#24875)
• [cleanup][build] Bumped version to 3.0.17-SNAPSHOT
• [fix][build][branch-3.0] Fix presto-distribution license file
• [fix][build][branch-3.0] Fix trino license
• [fix][build][branch-3.0] Fix trino license file
• [fix][ci][branch-3.0] Fix docker daemon configuration for branch-3.0
• [fix][ci][branch-3.0] Revert adding min-api-version: 1.24 to /etc/docker/daemon.json
• [improve][ci] Backport fix for ssh-access action

For the complete list, check the full changelog.

Changes

Cherry-picked changes

Cherry-picked changes

• [fix][sec] Bump github.com/dvsekhvalnov/jose2go from 1.6.0 to 1.7.0 in /pulsar-function-go (#24987)
• [fix][sec] Upgrade jose4j to 0.9.6 to address CVE-2024-29371 (#25095)
• [fix][sec] Upgrade log4j to 2.25.3 to address CVE-2025-68161 (#25102)
• [fix][sec] Upgrade Netty to 4.1.130.Final (#25078)
• [fix][sec] Upgrade vertx to address CVE-2026-1002 (#25152)
• [fix][test] Upgrade docker-java to 3.7.0 (#25209)
• [fix] Upgrade gson to 2.13.2 (#25022)

• [fix][broker] Fix chunked message loss when no consumers are available (#25077)
• [fix][broker] Fix creation of replicated subscriptions for partitioned topics (#24997)
• [fix][broker] Fix httpProxyTimeout config (#25223)
• [fix][broker] Fix incomplete futures in topic property update/delete methods (#25228)
• [fix][broker] Fix issue with schemaValidationEnforced in geo-replication (#25012)
• [fix][broker] Fix MultiRolesTokenAuthorizationProvider error when subscription prefix doesn't match. (#25121)
• [fix][broker] Fix regex matching of namespace name which might contain a regex char (#25136)
• [fix][broker] Fix transactionMetadataFuture completeExceptionally with null value (#25231)
• [fix][broker] Fix various error-prone detected errors mainly in logging and String.format parameters (#25059)
• [fix][broker] Force EnsemblePolicies to resolve network location after rackInfoMap is updated due to changes in /ledgers/available znode (#25067)
• [fix][broker] Use poll instead remove to avoid NoSuchElementException (#24933)
• [fix][broker][branch-3.0] fix prepareInitPoliciesCacheAsync in SystemTopicBasedTopicPoliciesService (#24978)
• [fix][admin] Fix asyncGetRequest to handle 204 (#25124)
• [fix][ml] Fix NoSuchElementException in EntryCountEstimator caused by a race condition (#25177)
• [fix][meta] Use getChildrenFromStore to read children data to avoid lost data (#24665)
• [improve][broker] Give the detail error msg when authenticate failed with AuthenticationException (#25221)
• [improve][ml] Optimize ledger opening by skipping fully acknowledged ledgers (#24655)
• [improve][meta] Improve fault tolerance of blocking calls by supporting timeout (#21028)
• [fix] Handle TLS close_notify to avoid SslClosedEngineException: SSLEngine closed already (#24986)

• [fix][client] Fix AutoProduceBytesSchema.clone() method (#25015)
• [fix][client] Fix double recycling of the message in isValidConsumerEpoch method (#25008)
• [fix][client] Fix invalid parameter type passed to Map.get in TopicsImpl.getListAsync method (#25069)
• [fix][client] Fix producer synchronous retry handling in failPendingMessages method (#25207)
• [fix][client] Fix race condition between isDuplicate() and flushAsync() method in PersistentAcknowledgmentsGroupingTracker due to incorrect use Netty Recycler (#25208)
• [fix][client] Fix thread-safety of AutoProduceBytesSchema (#25014)
• [fix][client] PIP-84: Skip processing a message in the message listener if the consumer epoch is no longer valid (#25007)
• [fix][client] Skip processing messages in the listener when the consumer has been closed (#25006)
• [fix][client]Producer stuck or geo-replication stuck due to wrong value of message.numMessagesInBatch (#25106)
• [improve][client] Test no exception could be thrown for invalid epoch in message (#25013)
• [fix] Handle TLS close_notify to avoid SslClosedEngineException: SSLEngine closed already (#24986)

• [fix][fn] complete flushAsync before closeAsync in ProducerCache and wait for completion in closing the cache (#25140)
• [fix][fn] Fix graceful Pulsar Function shutdown so that consumers and producers are closed (#25157)

• [fix][proxy] Close client connection immediately when credentials expire and forwardAuthorizationCredentials is disabled (#25179)
• [fix][proxy] Fix memory leaks in ParserProxyHandler (#25142)
• [improve][proxy] Add regression tests for package upload with 'Expect: 100-continue' (#25211)
• [fix][misc] Allow JWT tokens in OpenID auth without nbf claim (#25197)
• [improve] Eliminate unnecessary duplicate schema lookups for partitioned topics in client and geo-replication (#25011)

• [fix][build] Remove Confluent and Restlet maven repositories from top level pom.xml (#24981)
• [improve][test][branch-3.0] Add test for issue #25220

For the complete list, check the full changelog.

Cherry-picked changes

Cherry-picked changes

Cherry-picked changes