Skip to main content

Apache Kafka CVE-2026-33557

| EUVDEUVD-2026-23846 CRITICAL
Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285)
2026-04-20 apache GHSA-28jg-cgg7-j4wc
9.1
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Red Hat
8.6 HIGH
qualitative

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

7
Patch released
Apr 25, 2026 - 02:30 nvd
Patch available
Re-analysis Queued
Apr 20, 2026 - 19:07 vuln.today
cvss_changed
Analysis Generated
Apr 20, 2026 - 17:12 vuln.today
CVSS changed
Apr 20, 2026 - 16:22 NVD
9.1 (None) 9.1 (CRITICAL)
EUVD ID Assigned
Apr 20, 2026 - 14:15 euvd
EUVD-2026-23846
Analysis Generated
Apr 20, 2026 - 14:15 vuln.today
CVE Published
Apr 20, 2026 - 13:28 nvd
CRITICAL 9.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 295 maven packages depend on org.apache.kafka:kafka-clients (134 direct, 161 indirect)

Ecosystem-wide dependent count for version 4.1.0.

DescriptionCVE.org

A possible security vulnerability has been identified in Apache Kafka.

By default, the broker property sasl.oauthbearer.jwt.validator.class is set to org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the preferred_username set to any user, and the broker will accept it.

We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config sasl.oauthbearer.jwt.validator.class to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.

AnalysisAI

Apache Kafka 4.1.0 and 4.1.1 accept forged JWT tokens without signature validation, allowing remote unauthenticated attackers to authenticate as any user and gain unauthorized access to Kafka resources. The default SASL/OAUTHBEARER validator (DefaultJwtValidator) fails to verify token signatures, issuers, or audiences, enabling complete authentication bypass. CVSS 9.1 (Critical) with network vector and no privileges required. SSVC indicates the vulnerability is automatable with partial technical impact. No active exploitation confirmed at time of analysis, but the attack requires minimal sophistication and could be scripted trivially given the token acceptance behavior.

Technical ContextAI

Apache Kafka's SASL/OAUTHBEARER authentication mechanism relies on JWT tokens for client authentication. The vulnerability stems from CWE-1285 (Improper Validation of Specified Index, Position, or Offset in Input), manifested as the DefaultJwtValidator class accepting JWT tokens without cryptographic signature verification. In OAuth 2.0 and JWT (RFC 7519) implementations, the signature validation step is critical to prevent token forgery-verifying the token was issued by a trusted authority and hasn't been tampered with. The affected versions (4.1.0-4.1.1) default to a validator that bypasses these essential checks, treating the 'preferred_username' claim as authoritative without verifying the token's authenticity. This allows attackers to craft self-signed tokens with arbitrary identity claims. The CPE identifies Apache Software Foundation's Apache Kafka as the affected product, specifically the broker authentication subsystem when configured for SASL/OAUTHBEARER.

RemediationAI

Immediate remediation requires upgrading to Apache Kafka version 4.1.2 or later, or version 4.2.0 or later, where JWT signature validation is correctly implemented by default. For organizations unable to upgrade immediately, apply the configuration workaround by explicitly setting the broker property sasl.oauthbearer.jwt.validator.class to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator in the Kafka broker configuration file. This forces use of the secure validator that properly verifies JWT signatures, issuers, and audiences. Note that this configuration change requires broker restart and should be tested in non-production environments first to ensure compatibility with existing client token generation. If SASL/OAUTHBEARER is not required, consider switching to alternative authentication mechanisms (SASL/PLAIN, SASL/SCRAM, mTLS) as a compensating control, though this involves more significant architecture changes and client reconfiguration. Review Kafka access logs for suspicious authentication patterns or unexpected user identities during the vulnerable period. Consult the official Apache Kafka CVE list at https://kafka.apache.org/cve-list and the vendor advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-33557 for additional guidance.

Vendor StatusVendor

Share

CVE-2026-33557 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy