A critical security fix, backported across every branch
A CSRF and SSRF vulnerability in the Admin Console and REST management interface has been patched in all five releases this cycle: Azul Payara 7.1.0, 6.39.0, 5.88.0, 4.1.2.191.56, and Azul Payara Community 7.2026.6. Azul is a registered CVE Numbering Authority (CNA) under CISA and DHS oversight, and patches are backported to every supported version on a published monthly schedule – so regardless of which branch you run, there is no reason to delay upgrading.
Azul Payara 7.1.0: the Payara 7 line matures
7.1.0 is the first regular monthly release since Server 7 and Micro 7 reached general availability in May. It holds Final Jakarta EE 11 certification with MicroProfile 6.1 and several key components graduate to GA in this cycle: EclipseLink 5.0.0, Jersey 4.0.2, HK2 4.0.1 and Payara Security Connectors 4.0.0.
Jakarta Data also receives two meaningful updates: method-level @Transactional overrides on repository interfaces and a performance fix that stops the runtime parsing method names on every HTTP request.
Notable bug fixes include duplicate MicroProfile metrics, session retrieval in relaxed mode and an Admin Console password-change issue.
One thing to check before upgrading Payara 5 or 6
Azul Payara 5.88.0 and 6.39.0 change the default for the fish.payara.ready-after-applications system property from effectively false to true, aligning with the behaviour already in place on Payara 7 and Payara Community. The server now signals ready after post-boot configuration and application loading complete, rather than after the server_startup event.
Most deployments will not notice. If yours uses post-boot scripts or has specific transaction recovery timing requirements, review this before upgrading and set the property explicitly to false if you need the earlier behaviour.
Payara 6 and 5: continued support for older Jakarta EE lines
Azul Payara 6.39.0 continues the Jakarta EE 10 line; 5.88.0 retains the javax.* namespace and Jakarta EE 8 for teams that have not yet migrated. Both receive the security fix, component upgrades, and the shared bug fixes for metrics and session retrieval. Azul Payara 4.1.2.191.56 picks up the security fix and a Hazelcast upgrade.
A note on Azul Payara Community
Payara Community 7.2026.6 carries the same security fix, bug fixes and component upgrades as Payara 7.1.0. It’s the right starting point for development and evaluation.
Ready to upgrade?
- See the full release notes here: https://docs.payara.fish/enterprise/docs/Release%20Notes/Overview.html
- Contact your Azul account team for Lifetime Support or migration advice
