Two CRITICAL advisories published April 9, 2026 affect the wasmtime crate. RUSTSEC-2026-0095: Wasmtime with the Winch compiler backend may allow a sandbox-escaping memory access on certain platforms. RUSTSEC-2026-0096: Miscompiled guest heap access enables sandbox escape on aarch64 with the Cranelift compiler backend. Both are rated CRITICAL as they break the core WebAssembly isolation guarantee.
ODS Impact: ODS does not currently use wasmtime or WebAssembly in production services. No immediate action required. However, if the Billing Engine or Workflow Engine ever adopts WASM plugin execution, these advisories become critical to track. PDF Engine should also be monitored if WASM-based PDF rendering is considered.
RUSTSEC-2026-0097 (INFO severity), published April 11, 2026, affects the rand crate. The crate exhibits unsound behavior when using a custom logger with rand::rng(). The severity is INFO (not CRITICAL), meaning it is a correctness concern rather than an immediate exploitable vulnerability. Affects all versions using rand::rng() with a custom logger setup.
ODS Impact: The rand crate is commonly used in Rust projects for random number generation, including token generation, session IDs, and nonce creation. ODS services (OID for token generation, Billing Engine for invoice IDs) should audit their rand usage. If rand::rng() is called with a custom logger, results may be unsound. Check Cargo.lock for rand version and audit usage patterns.
CVE-2025-12817 affects PostgreSQL: the CREATE STATISTICS command does not check for schema CREATE privilege, allowing a table owner to achieve denial of service against other CREATE STATISTICS users by creating statistics objects in any schema. Fixed in PostgreSQL 17.9, 16.13, 15.17, 14.22 released February 26, 2026. Also tracked alongside CVE-2025-1094 (SQL injection via quoting API misuse in libpq).
ODS Impact: ODS runs PostgreSQL 17 with schema-per-service isolation and Row-Level Security. CVE-2025-12817 could allow a compromised service account to DoS the statistics of other schemas. ODS must confirm it is running PostgreSQL 17.9+ (the patched version). Per last-versions.json, last tracked version is 17.9 — this should be already patched. Verify the ods-postgres container is actually running 17.9 and not an older image. CVE-2025-1094 (libpq SQL injection) is additionally relevant if any ODS service constructs queries using PQescapeLiteral or similar raw libpq APIs.
Redpanda v26.1.4 was released on April 11, 2026. This patch release fixes multi-part delete requests rejected by ABS when using OAuth due to unexpected headers, applies a watermark fix for rm_stm, and enhances the cloud storage scrubber to filter out compacted reuploads, reducing false positives. No breaking changes.
ODS Impact: ODS uses Redpanda as its primary event bus for all inter-service communication (CloudEvents). This patch is a stability/bugfix release. If ODS ever uses Azure Blob Storage with OAuth, the multi-part delete fix is relevant. Safe to upgrade.
ClickHouse v26.3.7.8-lts was released on April 11, 2026 as a Long-Term Support patch release. The 26.3 LTS series introduced bucketed serialization for Map columns (2-49x speedup for single-key lookups), async insert on by default, materialized CTEs, and propagation of data type serialization versions. This patch adds multi-platform binaries and integrity verification. No breaking changes in this patch.
ODS Impact: ODS uses ClickHouse as its OLAP analytics store in the Zero-ETL data platform (Redpanda → Debezium → ClickHouse → Metabase). The async insert-by-default change in 26.3 is relevant: ODS should verify insert behavior in the ClickHouse Kafka engine materialized views. The 2-49x Map column speedup improves analytics query performance on JSON-heavy event payloads.
SQLx 0.9.0-alpha.1 (not yet stable, alpha since Oct 2025) introduces MSRV bump to Rust 1.86, removes deprecated runtime+TLS feature combinations, and changes text column inference behavior (Vec
ODS Impact: SQLx is the primary database driver for all ODS Rust services (OID, DocStore, PDF Engine, Notification Hub, Workflow Engine, Form Engine, Billing Engine). The upcoming 0.9.0 release will require: (1) updating MSRV in all service Cargo.toml files to 1.86, (2) updating compile-time query macros if any columns changed inference, (3) removing old runtime-tokio-native-tls feature combinations. ODS should track this carefully and prepare a migration plan before 0.9.0 stable drops.
Tokio 1.51.1 was released on April 8, 2026. Key fixes: (1) Semaphore would reopen after being forgotten — a correctness bug that could cause resource leaks in rate limiting code, (2) UDP sockets on Linux now properly surface errors from SO_ERROR on receive operations, (3) File descriptor leak prevention when canceling io_uring open operations on Linux. This is a recommended patch upgrade for all Tokio users.
ODS Impact: Tokio is the async runtime used by all ODS Rust services via actix-web and rdkafka. The semaphore bug fix is directly relevant to any service using tokio::sync::Semaphore for connection pooling or rate limiting (Billing Engine rate limits to CinetPay/Stripe, Notification Hub rate limits to Resend). The FD leak fix affects services running on Linux with io_uring. Upgrade all services to tokio 1.51.1 in the next patch cycle.
Actix-web 4.13.0 (released February 18, 2026) bumped MSRV to Rust 1.88, improved HTTP/2 upload throughput by increasing default flow control window sizes, added TCP_NODELAY config, named URL parameter helpers, and an experimental route introspection feature. Cookie parsing now ignores unparsable entries instead of failing. This version is already tracked in last-versions.json as current.
ODS Impact: Actix-web is the HTTP framework for all ODS Rust API services. The MSRV bump to 1.88 means all ODS services will need Rust 1.88+ in CI. The HTTP/2 throughput improvement benefits PDF Engine (large file uploads) and DocStore (binary document uploads). The experimental route introspection could enable auto-generated OpenAPI documentation in a future iteration. Already at this version per last-versions.json — no action needed, confirming current.
The official Rust SDK for the Model Context Protocol (modelcontextprotocol/rust-sdk) is actively developed (last commit April 10, 2026) and trending on GitHub with 3,289 stars. It recently added support for the 2025-11-25 protocol version. MCP enables AI models to securely access tools and data sources through a standardized interface, making it the de facto bridge between LLM agents and backend services.
ODS Impact: ODS builds AI-assisted document workflows (DocSign, DocStore, Workflow Engine). Adopting the MCP Rust SDK would allow ODS services to expose their capabilities (PDF processing, form rendering, document signing) as MCP tools consumable by AI agents and Claude Code. This is a direct enabler for the ODS AI-native roadmap. License is 'NOASSERTION' — requires legal review before adoption.
git-ai (git-ai-project/git-ai) is a Rust-based Git extension for tracking AI-generated code contributions in repositories. Gaining +12 stars today, 1,554 total stars, licensed Apache-2.0, last commit April 11, 2026. It integrates into the git commit flow to annotate AI-generated code sections, enabling teams to audit and measure AI code contribution ratios over time.
ODS Impact: ODS uses Claude Code and ADLC agents to generate significant amounts of production code. git-ai would provide auditability of AI-generated code in ODS repositories, which is valuable for compliance (knowing what was AI-generated vs human-written), code review efficiency, and potential future regulatory requirements around AI-generated software. Worth evaluating in the ADLC pipeline.
Restate (restatedev/restate) is a durable execution platform built as a single Rust binary using Tokio. It turns any function into a durable, fault-tolerant workflow with exactly-once semantics, checkpoint-based recovery, and no deterministic replay requirement. Latest stable v1.6.2 (Feb 2026). SDKs available in TypeScript, Java, Go, Python, and Rust. 3,718 stars, actively maintained. License is BSL (Business Source License) — permissive for non-competing use.
ODS Impact: ODS is building a Workflow Engine (P2 phase) from scratch. Restate is a production-grade alternative that solves exactly the same problem: durable, multi-step, fault-tolerant workflow execution. Its Rust core aligns perfectly with the ODS stack. The Rust SDK means workflow definitions can be written natively. Key consideration: BSL license allows self-hosting but restricts SaaS resale of the engine itself — acceptable for ODS as a user, not a reseller. Could replace the custom Workflow Engine implementation and save significant dev time.
iced (iced-rs/iced) is a cross-platform GUI library for Rust inspired by Elm's architecture, with 30,154 stars and +22 stars today. Licensed MIT, last commit April 6, 2026, actively maintained. It targets desktop and web via WASM, uses a reactive unidirectional data flow, and offers GPU-accelerated rendering via wgpu. It represents the Rust-native alternative to Tauri's web-based frontend approach.
ODS Impact: ODS uses Tauri 2 (Rust backend + web frontend) for DocSign desktop app. iced offers a pure-Rust alternative that eliminates the JavaScript/WebView dependency for desktop UIs. For future ODS desktop tools that need high performance or offline capability (embedded PDF renderer, local document editor), iced is worth evaluating. Not a replacement for DocSign's current Tauri setup, but a candidate for future lightweight desktop utilities.
A detailed 2026 guide (oneuptime.com) covers implementing multi-tenant API isolation in Rust using Actix-web middleware and PostgreSQL Row-Level Security (RLS). The pattern: extract tenant from JWT in Actix middleware, start a DB transaction, set a PostgreSQL session variable (SET LOCAL app.tenant_id = '...'), and let RLS policies automatically scope every query. This eliminates the need for WHERE tenant_id = ? in application code.
ODS Impact: This is exactly the pattern ODS is implementing across all services. The guide validates ODS's current approach and provides concrete implementation patterns. The SET LOCAL session variable approach is the gold standard for RLS-based multi-tenancy in PostgreSQL. ODS dev agent should reference this when implementing new services or reviewing existing RLS policies. Particularly relevant for Form Engine, Billing Engine, and Workflow Engine currently in development.