Hazelcast up to 4.2.5 allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection:
Okapi 4.14.0 - 4.14.7 and 4.13.0 - 4.13.2 and all older versions use a vulnerable Hazelcast version.
Okapi 4.14.8 and all following versions and 4.13.3 and all following 4.13.x versions use the fixed Hazelcast version.
This issue bumps Hazelcast from 4.2.2 to 4.2.6 in the b14.3 branch.
The b14.4 branch had been updated before the security issue was published: https://github.com/folio-org/okapi/releases/tag/v4.14.8