Hello,

and sorry for the short follow-up but i noticed that https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/ includes links to the related / relevant PRs:

- https://github.com/fluent/fluent-bit/pull/10961
- https://github.com/fluent/fluent-bit/pull/10967
- https://github.com/fluent/fluent-bit/pull/10969
- https://github.com/fluent/fluent-bit/pull/10972
- https://github.com/fluent/fluent-bit/pull/10973

and if we check / follow these we can see each backport to the 4.0.x branch:

- https://github.com/fluent/fluent-bit/pull/10982
- https://github.com/fluent/fluent-bit/pull/10991
- https://github.com/fluent/fluent-bit/pull/10983
- https://github.com/fluent/fluent-bit/pull/10984
- https://github.com/fluent/fluent-bit/pull/10986

If finally checking https://github.com/fluent/fluent-bit/releases/tag/v4.0.12 we can see that these PRs are actually included in 4.0.12 and not in 4.0.13.

Only for the last issue (CWE 306 - Missing authentication in in_forward) mentioned on the blog post follow-up fixes have been made via these for 4.2.0:
- https://github.com/fluent/fluent-bit/pull/11026
- https://github.com/fluent/fluent-bit/pull/11028

which ended up via this PR in 4.0.13:

- https://github.com/fluent/fluent-bit/pull/11029

My initial assumption is that four out of the five issues / CVEs are actually already fixed in 4.0.12 while one requires 4.0.13 for a "full" fix and 4.1.1 is currently still partly affected by that one.

I think a publication of security advisories on https://github.com/fluent/fluent-bit/security with relevant affected and fixed versions with a follow-up update to the blog post could largely clear up some confusion / inconsistencies on the affected and fixed versions.