From 0eabe6ce466d2d729965b7960c99f9aaa7451575 Mon Sep 17 00:00:00 2001
From: Viacheslav Klimov <viacheslavklimov11@gmail.com>
Date: Mon, 23 Mar 2026 11:35:11 +0200
Subject: [PATCH 1/5] Fix CVE-2026-22731, CVE-2026-22732, CVE-2026-22733,
 CVE-2026-22737

---
 pom.xml | 42 +-----------------------------------------
 1 file changed, 1 insertion(+), 41 deletions(-)

diff --git a/pom.xml b/pom.xml
index 8983998937..177257aa4c 100755
--- a/pom.xml
+++ b/pom.xml
@@ -38,9 +38,7 @@
         <pkg.implementationTitle>${project.name}</pkg.implementationTitle>
         <pkg.unixLogFolder>/var/log/${pkg.name}</pkg.unixLogFolder>
         <pkg.installFolder>/usr/share/${pkg.name}</pkg.installFolder>
-        <spring-boot.version>3.4.13</spring-boot.version>
-        <tomcat.version>10.1.52</tomcat.version> <!-- to fix CVE-2026-24734 and CVE-2025-66614. TODO: remove when fixed in spring-boot-dependencies -->
-        <jackson.version>2.18.6</jackson.version> <!-- to fix CWE-770. TODO: remove when fixed in spring-boot-dependencies -->
+        <spring-boot.version>3.5.12</spring-boot.version>
         <javax.xml.bind-api.version>2.4.0-b180830.0359</javax.xml.bind-api.version>
         <jedis.version>5.1.5</jedis.version>
         <jjwt.version>0.12.5</jjwt.version>
@@ -121,7 +119,6 @@
         <perfmark-api.version>0.27.0</perfmark-api.version>
         <threetenbp.version>1.7.0</threetenbp.version>
         <!--         TEST SCOPE         -->
-        <assertj.version>3.27.7</assertj.version> <!-- to fix CVE-2026-24400 (XXE). TODO: remove when fixed in spring-boot-dependencies -->
         <dbunit.version>2.7.3</dbunit.version>
         <java-websocket.version>1.5.6</java-websocket.version>
         <mock-server.version>5.15.0</mock-server.version>
@@ -919,43 +916,6 @@
 
     <dependencyManagement>
         <dependencies>
-            <!-- Temporary Tomcat version override -->
-            <dependency>
-                <groupId>org.apache.tomcat.embed</groupId>
-                <artifactId>tomcat-embed-core</artifactId>
-                <version>${tomcat.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.apache.tomcat.embed</groupId>
-                <artifactId>tomcat-embed-el</artifactId>
-                <version>${tomcat.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.apache.tomcat.embed</groupId>
-                <artifactId>tomcat-embed-websocket</artifactId>
-                <version>${tomcat.version}</version>
-            </dependency>
-            <!-- End of Tomcat version override -->
-
-            <!-- Temporary Jackson version override -->
-            <dependency>
-                <groupId>com.fasterxml.jackson</groupId>
-                <artifactId>jackson-bom</artifactId>
-                <version>${jackson.version}</version>
-                <type>pom</type>
-                <scope>import</scope>
-            </dependency>
-            <!-- End of Jackson version override -->
-
-            <!-- Temporary assertj-core version override -->
-            <dependency>
-                <groupId>org.assertj</groupId>
-                <artifactId>assertj-core</artifactId>
-                <version>${assertj.version}</version>
-                <scope>test</scope>
-            </dependency>
-            <!-- End of assertj-core version override -->
-
             <dependency>
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-dependencies</artifactId>

From 7646f79cfe594b1ec3703737ea777fb5804e13c7 Mon Sep 17 00:00:00 2001
From: Viacheslav Klimov <viacheslavklimov11@gmail.com>
Date: Mon, 23 Mar 2026 12:00:49 +0200
Subject: [PATCH 2/5] Implement addBundleRegisterHandler for Spring Boot 3.5
 SslBundles compatibility

---
 .../config/ssl/SslCredentialsWebServerCustomizer.java       | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/common/transport/transport-api/src/main/java/org/thingsboard/server/common/transport/config/ssl/SslCredentialsWebServerCustomizer.java b/common/transport/transport-api/src/main/java/org/thingsboard/server/common/transport/config/ssl/SslCredentialsWebServerCustomizer.java
index e5f81dafc4..34cc1151c4 100644
--- a/common/transport/transport-api/src/main/java/org/thingsboard/server/common/transport/config/ssl/SslCredentialsWebServerCustomizer.java
+++ b/common/transport/transport-api/src/main/java/org/thingsboard/server/common/transport/config/ssl/SslCredentialsWebServerCustomizer.java
@@ -30,6 +30,7 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.stereotype.Component;
 
 import java.util.List;
+import java.util.function.BiConsumer;
 import java.util.function.Consumer;
 
 @Component
@@ -88,6 +89,11 @@ public class SslCredentialsWebServerCustomizer implements WebServerFactoryCustom
             public void addBundleUpdateHandler(String name, Consumer<SslBundle> handler) {
                 // no-op
             }
+
+            @Override
+            public void addBundleRegisterHandler(BiConsumer<String, SslBundle> handler) {
+                // no-op
+            }
         };
     }
 

From caffeb7ce89a7737359d12614c7173fcd7653712 Mon Sep 17 00:00:00 2001
From: Viacheslav Klimov <viacheslavklimov11@gmail.com>
Date: Mon, 23 Mar 2026 12:07:27 +0200
Subject: [PATCH 3/5] Update jedis from 5.1.5 to 6.0.0 and snakeyaml from 2.2
 to 2.4 for Spring Boot 3.5.12 compatibility

---
 pom.xml | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/pom.xml b/pom.xml
index 177257aa4c..11bd6c9a49 100755
--- a/pom.xml
+++ b/pom.xml
@@ -40,7 +40,6 @@
         <pkg.installFolder>/usr/share/${pkg.name}</pkg.installFolder>
         <spring-boot.version>3.5.12</spring-boot.version>
         <javax.xml.bind-api.version>2.4.0-b180830.0359</javax.xml.bind-api.version>
-        <jedis.version>5.1.5</jedis.version>
         <jjwt.version>0.12.5</jjwt.version>
         <rat.version>0.10</rat.version> <!-- unused -->
         <cassandra.version>4.17.0</cassandra.version>
@@ -89,7 +88,6 @@
         <lz4.version>1.10.1</lz4.version> <!-- to fix CVE-2025-12183 and CVE-2025-66566 introduced through kafka-clients 3.9.1 TODO: remove when kafka-clients is bumped -->
         <bucket4j.version>8.10.1</bucket4j.version>
         <antlr.version>3.5.3</antlr.version>
-        <snakeyaml.version>2.2</snakeyaml.version>
         <aws.sdk.version>1.12.701</aws.sdk.version>
         <pubsub.client.version>1.128.1</pubsub.client.version>
 
@@ -1189,11 +1187,6 @@
                 <artifactId>jjwt</artifactId>
                 <version>${jjwt.version}</version>
             </dependency>
-            <dependency>
-                <groupId>org.yaml</groupId>
-                <artifactId>snakeyaml</artifactId>
-                <version>${snakeyaml.version}</version>
-            </dependency>
             <dependency>
                 <groupId>antlr</groupId>
                 <artifactId>antlr</artifactId>
@@ -1545,11 +1538,6 @@
                 <artifactId>bcprov-ext-jdk18on</artifactId>
                 <version>${bouncycastle.version}</version>
             </dependency>
-            <dependency>
-                <groupId>redis.clients</groupId>
-                <artifactId>jedis</artifactId>
-                <version>${jedis.version}</version>
-            </dependency>
             <dependency>
                 <groupId>com.sun.winsw</groupId>
                 <artifactId>winsw</artifactId>

From 9dcb6d53bfea32fcf93a653c263d86e873f06837 Mon Sep 17 00:00:00 2001
From: Viacheslav Klimov <viacheslavklimov11@gmail.com>
Date: Mon, 23 Mar 2026 12:18:09 +0200
Subject: [PATCH 4/5] Update lombok from 1.18.38 to 1.18.44 managed by Spring
 Boot 3.5.12

---
 pom.xml | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/pom.xml b/pom.xml
index 11bd6c9a49..41ff02685a 100755
--- a/pom.xml
+++ b/pom.xml
@@ -64,7 +64,6 @@
         <protobuf.version>3.25.5</protobuf.version> <!-- A Major v4 does not support by the pubsub yet-->
         <grpc.version>1.76.0</grpc.version>
         <tbel.version>1.2.9</tbel.version>
-        <lombok.version>1.18.38</lombok.version>
         <paho.client.version>1.2.5</paho.client.version>
         <paho.mqttv5.client.version>1.2.5</paho.mqttv5.client.version>
         <os-maven-plugin.version>1.7.1</os-maven-plugin.version>
@@ -615,7 +614,6 @@
                             <path>
                                 <groupId>org.projectlombok</groupId>
                                 <artifactId>lombok</artifactId>
-                                <version>${lombok.version}</version>
                             </path>
                         </annotationProcessorPaths>
                     </configuration>
@@ -1487,12 +1485,6 @@
                 <version>${dbunit.version}</version>
                 <scope>test</scope>
             </dependency>
-            <dependency>
-                <groupId>org.projectlombok</groupId>
-                <artifactId>lombok</artifactId>
-                <version>${lombok.version}</version>
-                <scope>provided</scope>
-            </dependency>
             <dependency>
                 <groupId>org.eclipse.paho</groupId>
                 <artifactId>org.eclipse.paho.client.mqttv3</artifactId>

From 0b7229791632b060e60859bcad4847e0789ef413 Mon Sep 17 00:00:00 2001
From: Viacheslav Klimov <viacheslavklimov11@gmail.com>
Date: Mon, 23 Mar 2026 12:41:11 +0200
Subject: [PATCH 5/5] Restore lombok.version property required by
 maven-compiler-plugin annotationProcessorPaths

---
 pom.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pom.xml b/pom.xml
index 41ff02685a..5347769e1e 100755
--- a/pom.xml
+++ b/pom.xml
@@ -64,6 +64,7 @@
         <protobuf.version>3.25.5</protobuf.version> <!-- A Major v4 does not support by the pubsub yet-->
         <grpc.version>1.76.0</grpc.version>
         <tbel.version>1.2.9</tbel.version>
+        <lombok.version>1.18.44</lombok.version> <!-- must be in sync with spring-boot-dependencies; needed for maven-compiler-plugin annotationProcessorPaths -->
         <paho.client.version>1.2.5</paho.client.version>
         <paho.mqttv5.client.version>1.2.5</paho.mqttv5.client.version>
         <os-maven-plugin.version>1.7.1</os-maven-plugin.version>
@@ -614,6 +615,7 @@
                             <path>
                                 <groupId>org.projectlombok</groupId>
                                 <artifactId>lombok</artifactId>
+                                <version>${lombok.version}</version>
                             </path>
                         </annotationProcessorPaths>
                     </configuration>