Skip to main content
Released on June 12, 2026, Lucidworks Search 5.17.2 is a patch release that delivers critical security updates to address vulnerabilities in the Netty framework that handles network communication.
While Lucidworks is not aware of any active exploitation, this update addresses security vulnerabilities that could potentially be exploited. Lucidworks is applying this upgrade to all Lucidworks Search instances.
Upgrading to the latest version of Lucidworks Search offers several key benefits:
  • Access to latest features: Stay current with the latest features and capabilities to ensure compatibility and optimal performance.
  • Simplified process: Lucidworks Search 5.9.5 and later use an in-place upgrade strategy, making upgrades easier than ever.
  • Extended support: Upgrading keeps you up-to-date with the latest supported Kubernetes versions, as outlined in the Lucidworks Semantic Version Support Lifecycle policy.
For supported Kubernetes versions and key component versions, see Platform support and component versions.

Security updates

Security vulnerabilities in Netty resolved

CVE-2026-44249 CVE-2026-42577 CVE-2026-42579 CVE-2026-42581 CVE-2026-42583 CVE-2026-42584 CVE-2026-42585 CVE-2026-42587 CVE-2026-45416 CVE-2026-45674 CVE-2026-47691 Prior to this release, Netty versions before 4.1.135.Final contained multiple security vulnerabilities affecting HTTP request processing, DNS resolution, and network connection handling, including request smuggling vulnerabilities. These vulnerabilities could potentially be exploited to bypass security controls, hijack user sessions, or compromise data integrity. These vulnerabilities are now resolved. Lucidworks Search 5.17.2 updates Netty to version 4.1.135.Final, which addresses these security issues across multiple Netty components including HTTP/HTTP2 codecs, DNS resolver, transport layer, and connection handlers. Upgrading to Lucidworks Search 5.17.2 protects your deployment against these vulnerabilities.

Known issues

Streaming mode indexing fails with unquoted character errors

When indexing content in streaming mode, the Jackson library upgrade (2.13.5 → 2.19.1) introduced stricter validation. The current implementation might fail with long requests that use a Transfer-Encoding: chunked header. Below is an example of a failure message, though other messages are also possible: 
Illegal unquoted character ((CTRL-CHAR, code 13)): has to be escaped using backslash to be included in name
As a workaround, divide your requests into batches and send each batch as a single request with a Content-Length header.

Platform support and component versions

Kubernetes platform support

Lucidworks has tested and validated support for the following Kubernetes platforms and versions:
  • Google Kubernetes Engine (GKE): 1.30, 1.31, 1.32, 1.33, 1.34, 1.35
  • Microsoft Azure Kubernetes Service (AKS): 1.30, 1.31, 1.32, 1.33, 1.34, 1.35
  • Amazon Elastic Kubernetes Service (EKS): 1.30, 1.31, 1.32, 1.33, 1.34, 1.35
Support is also offered for Rancher Kubernetes Engine (RKE and RKE2) and OpenShift 4 versions based on Kubernetes 1.30, 1.31, 1.32, 1.33, 1.34, 1.35. Note that RKE2 may require some Helm chart modification. OpenStack and customized Kubernetes installations aren’t supported. For more information on Kubernetes version support, see the Kubernetes support policy.

Component versions

The following table details the versions of key components that may be critical to deployments and upgrades.
ComponentVersion
Solrfusion-solr 5.17.2 (based on Solr 9.6.1)
ZooKeeper3.9.1
Spark3.4.1
Ingress ControllersNginx, Ambassador (Envoy), GKE Ingress Controller
Rayray[serve] 2.46.0
Helm4.1.1
For more information about support dates, see Lucidworks Semantic Version Support Lifecycle.