Fork me on GitHub

Security Reports

Security Updates

Please note that binary patches are not produced for individual vulnerabilities. To obtain the fix for a particular vulnerability you should upgrade to the officially released version where that vulnerability has been fixed.

List of Vulnerabilities

Note: the vulnerability reports linked below will provide additional details including reference to the public announcement and a short description.

CVE Number Type Fix Versions
CVE-2020-1940 Sensitive information disclosure vulnerability 1.24.0, 1.10.8, 1.8.20, 1.6.20, 1.4.26, patch for 1.2 see OAK-8870

Reporting Vulnerabilities with Apache Jackrabbit Oak

The Apache Software Foundation takes an active stance in eliminating security problems. We strongly encourage everyone to report vulnerabilities to the Apache security mailing list security(at), before disclosing them in a public forum.

Please note that the security mailing list should only be used for reporting undisclosed vulnerabilities and managing the process of fixing them. We cannot accept regular bug reports or other queries at this address. If you wish to report a bug that isn't an undisclosed security vulnerability, please use

###Errors and Omissions

Please report any errors or omissions to security(at)