6.7.0

What's Changed

New or updated images

component	image
operator	ghcr.io/kube-logging/logging-operator:6.7.0
fluentd	ghcr.io/kube-logging/logging-operator/fluentd:6.7.0-full
syslog-ng-reloader	ghcr.io/kube-logging/logging-operator/syslog-ng-reloader:6.7.0
config-reloader	ghcr.io/kube-logging/logging-operator/config-reloader:6.7.0
fluentd-drain-watch	ghcr.io/kube-logging/logging-operator/fluentd-drain-watch:6.7.0
buffer-volume-metrics	ghcr.io/kube-logging/logging-operator/node-exporter:6.7.0
eventrouter	ghcr.io/kube-logging/eventrouter:1.0.0

Install with helm

helm install logging-operator oci://ghcr.io/kube-logging/helm-charts/logging-operator --version=6.7.0

Security

CVE-2026-54680 — Fluentd configuration injection via unescaped CRD/secret values

CRD and secret-provided string values were written into the generated fluent.conf without escaping. A value containing a newline could terminate its directive and inject arbitrary Fluentd configuration (for example a <match> block with @type exec), enabling remote code execution in the aggregator. Parameter values containing newlines are now quoted and escaped, and newlines in structural fields (@type, @id, @label, @log_level, tag, directive and parameter names) are rejected at config-render time.

• Affected: ≤ 6.5.2
• Hardening shipped in: 6.6.0

Enhancements

• feat: support eventrouter 1.0.0 for EventTailer by @csatib02 in #2248

Dependency and image updates

• chore(deps): bump net-imap from 0.5.14 to 0.5.15 in /images/fluentd/outputs by @dependabot[bot] in #2249
• chore(deps): bump github.com/open-telemetry/opentelemetry-operator from 0.151.0 to 0.152.0 by @dependabot[bot] in #2252

Bug fixes

• fix: advisory regression by @csatib02 in #2255

Full Changelog: 6.6.0...6.7.0