Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
7Blast Radius
ecosystem impact- 295 maven packages depend on org.apache.kafka:kafka-clients (134 direct, 161 indirect)
Ecosystem-wide dependent count for version 4.1.0.
DescriptionCVE.org
A possible security vulnerability has been identified in Apache Kafka.
By default, the broker property sasl.oauthbearer.jwt.validator.class is set to org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the preferred_username set to any user, and the broker will accept it.
We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config sasl.oauthbearer.jwt.validator.class to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.
AnalysisAI
Apache Kafka 4.1.0 and 4.1.1 accept forged JWT tokens without signature validation, allowing remote unauthenticated attackers to authenticate as any user and gain unauthorized access to Kafka resources. The default SASL/OAUTHBEARER validator (DefaultJwtValidator) fails to verify token signatures, issuers, or audiences, enabling complete authentication bypass. CVSS 9.1 (Critical) with network vector and no privileges required. SSVC indicates the vulnerability is automatable with partial technical impact. No active exploitation confirmed at time of analysis, but the attack requires minimal sophistication and could be scripted trivially given the token acceptance behavior.
Technical ContextAI
Apache Kafka's SASL/OAUTHBEARER authentication mechanism relies on JWT tokens for client authentication. The vulnerability stems from CWE-1285 (Improper Validation of Specified Index, Position, or Offset in Input), manifested as the DefaultJwtValidator class accepting JWT tokens without cryptographic signature verification. In OAuth 2.0 and JWT (RFC 7519) implementations, the signature validation step is critical to prevent token forgery-verifying the token was issued by a trusted authority and hasn't been tampered with. The affected versions (4.1.0-4.1.1) default to a validator that bypasses these essential checks, treating the 'preferred_username' claim as authoritative without verifying the token's authenticity. This allows attackers to craft self-signed tokens with arbitrary identity claims. The CPE identifies Apache Software Foundation's Apache Kafka as the affected product, specifically the broker authentication subsystem when configured for SASL/OAUTHBEARER.
RemediationAI
Immediate remediation requires upgrading to Apache Kafka version 4.1.2 or later, or version 4.2.0 or later, where JWT signature validation is correctly implemented by default. For organizations unable to upgrade immediately, apply the configuration workaround by explicitly setting the broker property sasl.oauthbearer.jwt.validator.class to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator in the Kafka broker configuration file. This forces use of the secure validator that properly verifies JWT signatures, issuers, and audiences. Note that this configuration change requires broker restart and should be tested in non-production environments first to ensure compatibility with existing client token generation. If SASL/OAUTHBEARER is not required, consider switching to alternative authentication mechanisms (SASL/PLAIN, SASL/SCRAM, mTLS) as a compensating control, though this involves more significant architecture changes and client reconfiguration. Review Kafka access logs for suspicious authentication patterns or unexpected user identities during the vulnerable period. Consult the official Apache Kafka CVE list at https://kafka.apache.org/cve-list and the vendor advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-33557 for additional guidance.
Same technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23846
GHSA-28jg-cgg7-j4wc