Which versions of kafka-python are affected by CVE-2026-10143?

kafka-python versions before 2.3.2 contain a denial-of-service vulnerability triggered during SCRAM authentication that freezes client event loops; no public exploit identified at time of analysis.. A patch is available.

How to fix or mitigate CVE-2026-10143?

Within 24 hours: audit production and development environments for kafka-python deployment and version (check requirements.txt, setup.py, poetry.lock, pip show, and container images). Within 7 days: develop and test upgrade plan to kafka-python 2.3.2 or later in non-production environments and schedule maintenance windows for production rollout. Within 30 days: complete deployment of kafka-python 2.3.2+ across all applications, validate against functional and integration test suites, and verify via dependency scanning tools.

kafka-python CVE-2026-10143

Q: What is the CVSS score of CVE-2026-10143?

CVE-2026-10143 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

EUVD-2026-36128 HIGH

Uncontrolled Resource Consumption (CWE-400)

2026-06-10 VulnCheck

Python Denial Of Service

8.7

CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

5.9 MEDIUM

Network-reachable and unauthenticated, but requires attacker to control or MITM the broker connection (AC:H); only availability is impacted via event-loop stall.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Jun 10, 2026 - 22:32 vuln.today

v3 (cvss_changed)

Analysis Updated

Jun 10, 2026 - 22:31 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Jun 10, 2026 - 22:22 vuln.today

cvss_changed

CVSS changed

Jun 10, 2026 - 22:22 NVD

7.5 (HIGH) 8.7 (HIGH)

Source Code Evidence Fetched

Jun 10, 2026 - 21:17 vuln.today

Analysis Generated

Jun 10, 2026 - 21:17 vuln.today

DescriptionCVE.org

kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling that allows a malicious or machine-in-the-middle broker to freeze the client event loop by supplying an excessively large iteration count. In scram.py, ScramClient.process_server_first_message() passes the broker-controlled SCRAM iteration count directly to hashlib.pbkdf2_hmac() without validation, blocking producer sends, consumer polls, admin operations, and heartbeats, which can cause consumer group eviction and repeated reconnect failures.

Articles & Coverage 2

News 7 New Python Vulnerabilities - 1 Critical, 6 High Severity Jun 11, 2026 News 6 New Python Vulnerabilities - 1 Critical, 5 High Severity Jun 10, 2026

AnalysisAI

Denial of service in kafka-python versions prior to 2.3.2 allows a malicious or man-in-the-middle Kafka broker to freeze the client's event loop during SCRAM authentication by returning an excessive PBKDF2 iteration count. Because ScramClient.process_server_first_message() forwards the broker-supplied value directly to hashlib.pbkdf2_hmac() without bounds checking, producers, consumers, admin clients, and group heartbeats all stall, leading to consumer-group eviction and reconnect loops. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Position rogue/MITM Kafka broker

Delivery

Client opens SASL SCRAM connection

Exploit

Broker returns huge PBKDF2 iteration count

Execution

Client calls hashlib.pbkdf2_hmac on event loop

Persist

CPU-bound hash blocks all I/O callbacks

Impact

Heartbeats miss, consumer evicted, reconnect loop

Access

Position rogue/MITM Kafka broker

Delivery

Client opens SASL SCRAM connection

Exploit

Broker returns huge PBKDF2 iteration count

Execution

Client calls hashlib.pbkdf2_hmac on event loop

Persist

CPU-bound hash blocks all I/O callbacks

Impact

Heartbeats miss, consumer evicted, reconnect loop

Vulnerability AssessmentAI

Exploitation	Exploitation requires the client to initiate a SASL SCRAM-SHA-256 or SCRAM-SHA-512 handshake against an attacker-controlled or MITM-intercepted broker endpoint - clients using PLAIN, GSSAPI/Kerberos, OAUTHBEARER, or no SASL at all are not on this code path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N correctly captures a high-availability-only impact reachable without authentication or user interaction, yielding the 8.7 score; confidentiality and integrity are untouched because the malicious broker never completes the SCRAM exchange and gains no key material. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who can intercept the TCP handshake to the Kafka bootstrap broker (untrusted network, compromised DNS, or rogue broker advertised via a misconfigured listener) terminates the SCRAM handshake with a server-first-message containing an iteration count in the billions. The kafka-python client calls hashlib.pbkdf2_hmac() with that count on its main event loop thread and hangs indefinitely, stalling producer sends, consumer polls, admin operations, and heartbeats until the consumer is evicted from its group. …
Remediation	Vendor-released patch: upgrade kafka-python to 2.3.2 or later, which adds an explicit upper bound on the broker-supplied SCRAM iteration count before invoking hashlib.pbkdf2_hmac() and also introduces a receive_message_max_bytes frame-size guard (commit 6e4831444f972d169cdd11f5c8d50333cea3f19b and PRs https://github.com/dpkp/kafka-python/pull/3019 and https://github.com/dpkp/kafka-python/pull/3026). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit production and development environments for kafka-python deployment and version (check requirements.txt, setup.py, poetry.lock, pip show, and container images). …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-43986 CRITICAL Act Now

9.9 Jun 04

Unauthenticated server-side request forgery in Tautulli versions prior to 2.17.1 allows remote attackers to coerce the T

CVE-2026-47731 CRITICAL Act Now

9.1 Jun 05

Path traversal in NASA AMMOS AIT-Core's Binary Stream Capture (BSC) component allows unauthenticated remote attackers to

CVE-2026-48031 CRITICAL Act Now

9.1 Jun 10

Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) a

CVE-2026-41065 HIGH This Week

8.9 Jun 04

Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh inst

CVE-2026-43984 HIGH This Week