Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Workarounds: Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4926.json
https://cna.openjsf.org/security-advisories.html
https://bugzilla.redhat.com/show_bug.cgi?id=2451867
https://access.redhat.com/security/cve/CVE-2026-4926
https://access.redhat.com/errata/RHSA-2026:9742
https://access.redhat.com/errata/RHSA-2026:9385
https://access.redhat.com/errata/RHSA-2026:36651
https://access.redhat.com/errata/RHSA-2026:24866
https://access.redhat.com/errata/RHSA-2026:24762
https://access.redhat.com/errata/RHSA-2026:24761
https://access.redhat.com/errata/RHSA-2026:19410
https://access.redhat.com/errata/RHSA-2026:19409
https://access.redhat.com/errata/RHSA-2026:17789
https://access.redhat.com/errata/RHSA-2026:13826
https://access.redhat.com/errata/RHSA-2026:13545
https://access.redhat.com/errata/RHSA-2026:10175