diff --git a/0018-CVE-2023-26048-and-CVE-2023-26049.patch b/0018-CVE-2023-26048-and-CVE-2023-26049.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b96978542581bddc4fce397e055c168a1ec18499
--- /dev/null
+++ b/0018-CVE-2023-26048-and-CVE-2023-26049.patch
@@ -0,0 +1,12 @@
+diff -uNr kafka-2.8.2-src/gradle/dependencies.gradle kafka-2.8.2-src-new/gradle/dependencies.gradle
+--- kafka-2.8.2-src/gradle/dependencies.gradle	2025-10-21 17:13:00.201918257 +0800
++++ kafka-2.8.2-src-new/gradle/dependencies.gradle	2025-10-21 17:13:59.861410855 +0800
+@@ -70,7 +70,7 @@
+   jacksonDatabind: "2.13.4.2",
+   jacoco: "0.8.5",
+   javassist: "3.27.0-GA",
+-  jetty: "9.4.48.v20220622",
++  jetty: "9.4.51.v20230217",
+   jersey: "2.34",
+   jline: "3.12.1",
+   jmh: "1.27",
diff --git a/kafka.spec b/kafka.spec
index 1bf6c73d7e4b45ad052ae38880de261219b3b655..7a8831ac7fcd455b586708b6f845a8deeb6496f0 100644
--- a/kafka.spec
+++ b/kafka.spec
@@ -4,7 +4,7 @@
 
 Name: kafka
 Version: 2.8.2
-Release: 17
+Release: 18
 Summary: A Distributed Streaming Platform.
 
 License: Apache-2.0
@@ -29,6 +29,7 @@ Patch13: 0014-override-toString.patch
 Patch14: 0015-SessionWindows-closed-early.patch
 Patch15: 0016-non-existent-URL.patch
 Patch16: 0017-fix-log-clean.patch
+Patch17: 0018-CVE-2023-26048-and-CVE-2023-26049.patch
 
 BuildRequires: systemd java-1.8.0-openjdk-devel
 Provides: kafka = %{version}
@@ -80,6 +81,8 @@ cp -pr licenses/*   $RPM_BUILD_ROOT%{kafka_home}/licenses
 rm -rf %{buildroot}
 
 %changelog
+* Tue Oct 21 2025 dongjiao <dongjiao@kylinos.cn> - 2.8.2-18
+- Fix CVE-2023-26048 and CVE-2023-26049.
 * Fri Dec 08 2023 sundapeng <sundapeng_yewu@cmss.chinamobile.com> - 2.8.2-17
 - log clean relative index range check of group consider empty log segment to avoid too many empty log segment left
 * Fri Dec 08 2023 sundapeng <sundapeng_yewu@cmss.chinamobile.com> - 2.8.2-16