diff --git a/CHANGES.md b/CHANGES.md
index 771bd578d0887cf3e322cce0da314a171ecd7cf0..4064d3a1e48d17d4a26bc2dad6da2a7b64c144d0 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -27,6 +27,7 @@ Release Notes.
* Support alarm tags.
* Support WeLink as a channel of alarm notification.
* Fix: Some defensive codes didn't work in `PercentileFunction combine`.
+* CVE: fix Jetty vulnerability. https://nvd.nist.gov/vuln/detail/CVE-2019-17638
#### UI
* Add logo for kong plugin.
diff --git a/dist-material/release-docs/LICENSE b/dist-material/release-docs/LICENSE
index d41a486d4b69727f0e99e8e402d72c6a5d0618c1..81f257d8d4659666e16a29b518e868f1987c85de 100755
--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -246,7 +246,7 @@ The text of each license is the standard Apache 2.0 license.
transport 5.5.0: https://github.com/elastic/elasticsearch/tree/master/client/transport , Apache 2.0
securesm 1.1: https://github.com/elastic/securesm/blob/master/pom.xml , Apache 2.0
LMAX Ltd.(disruptor) 3.3.6: https://github.com/LMAX-Exchange/disruptor , Apache 2.0
- Eclipse (Jetty) 9.4.28.v20200408: https://www.eclipse.org/jetty/ , Apache 2.0 and Eclipse Public License 1.0
+ Eclipse (Jetty) 9.4.40.v20210413: https://www.eclipse.org/jetty/ , Apache 2.0 and Eclipse Public License 1.0
SnakeYAML 1.18: http://www.snakeyaml.org , Apache 2.0
Joda-Time 2.10.5: http://www.joda.org/joda-time/ , Apache 2.0
Joda-Convert 2.2.1: http://www.joda.org/joda-convert/ , Apache 2.0
diff --git a/oap-server/pom.xml b/oap-server/pom.xml
index 1d2b00b160bb58ef28afc3f8422084c85ffcc25d..df7ee01abfda22a083b4af26662bbdc12e83ded2 100755
--- a/oap-server/pom.xml
+++ b/oap-server/pom.xml
@@ -62,7 +62,7 @@
8.0
3.4.10
2.0.26.Final
- 9.4.28.v20200408
+ 9.4.40.v20210413
1.4.196
1.4
2.6
diff --git a/tools/dependencies/known-oap-backend-dependencies-es7.txt b/tools/dependencies/known-oap-backend-dependencies-es7.txt
index b9c0aab2d076cb9ded038e7f3455c5ac6cf8d760..06df41b59b9b220761f4440b27553c310ac17d59 100755
--- a/tools/dependencies/known-oap-backend-dependencies-es7.txt
+++ b/tools/dependencies/known-oap-backend-dependencies-es7.txt
@@ -86,12 +86,13 @@ javassist-3.25.0-GA.jar
javax.inject-1.jar
javax.servlet-api-3.1.0.jar
jcl-over-slf4j-1.7.25.jar
-jetty-http-9.4.28.v20200408.jar
-jetty-io-9.4.28.v20200408.jar
-jetty-security-9.4.28.v20200408.jar
-jetty-server-9.4.28.v20200408.jar
-jetty-servlet-9.4.28.v20200408.jar
-jetty-util-9.4.28.v20200408.jar
+jetty-http-9.4.40.v20210413.jar
+jetty-io-9.4.40.v20210413.jar
+jetty-security-9.4.40.v20210413.jar
+jetty-server-9.4.40.v20210413.jar
+jetty-servlet-9.4.40.v20210413.jar
+jetty-util-9.4.40.v20210413.jar
+jetty-util-ajax-9.4.40.v20210413.jar
jline-0.9.94.jar
jna-4.5.1.jar
joda-convert-2.2.1.jar
@@ -174,4 +175,4 @@ snappy-java-1.1.7.3.jar
zstd-jni-1.4.3-1.jar
mvel2-2.4.8.Final.jar
commons-beanutils-1.9.4.jar
-postgresql-42.2.18.jar
\ No newline at end of file
+postgresql-42.2.18.jar
diff --git a/tools/dependencies/known-oap-backend-dependencies.txt b/tools/dependencies/known-oap-backend-dependencies.txt
index 863d1d6b91229fca3d05bbc1544fbf4e847c6c4e..9469791ad89594a363b3fae56021fb5137af216b 100755
--- a/tools/dependencies/known-oap-backend-dependencies.txt
+++ b/tools/dependencies/known-oap-backend-dependencies.txt
@@ -80,12 +80,13 @@ javassist-3.25.0-GA.jar
javax.inject-1.jar
javax.servlet-api-3.1.0.jar
jcl-over-slf4j-1.7.25.jar
-jetty-http-9.4.28.v20200408.jar
-jetty-io-9.4.28.v20200408.jar
-jetty-security-9.4.28.v20200408.jar
-jetty-server-9.4.28.v20200408.jar
-jetty-servlet-9.4.28.v20200408.jar
-jetty-util-9.4.28.v20200408.jar
+jetty-http-9.4.40.v20210413.jar
+jetty-io-9.4.40.v20210413.jar
+jetty-security-9.4.40.v20210413.jar
+jetty-server-9.4.40.v20210413.jar
+jetty-servlet-9.4.40.v20210413.jar
+jetty-util-9.4.40.v20210413.jar
+jetty-util-ajax-9.4.40.v20210413.jar
jline-0.9.94.jar
jna-4.5.1.jar
joda-convert-2.2.1.jar
@@ -169,4 +170,4 @@ snappy-java-1.1.7.3.jar
zstd-jni-1.4.3-1.jar
mvel2-2.4.8.Final.jar
commons-beanutils-1.9.4.jar
-postgresql-42.2.18.jar
\ No newline at end of file
+postgresql-42.2.18.jar