Skip to main content

Apache CVE-2026-33558

| EUVDEUVD-2026-23849 MEDIUM
DEPRECATED: Information Exposure Through Server Log Files (CWE-533)
2026-04-20 apache
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 20, 2026 - 17:11 vuln.today
EUVD ID Assigned
Apr 20, 2026 - 14:15 euvd
EUVD-2026-23849
Analysis Generated
Apr 20, 2026 - 14:15 vuln.today
CVE Published
Apr 20, 2026 - 13:20 nvd
MEDIUM 5.3

DescriptionCVE.org

Information exposure vulnerability has been identified in Apache Kafka.

The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are:

  • AlterConfigsRequest
  • AlterUserScramCredentialsRequest
  • ExpireDelegationTokenRequest
  • IncrementalAlterConfigsRequest
  • RenewDelegationTokenRequest
  • SaslAuthenticateRequest
  • createDelegationTokenResponse
  • describeDelegationTokenResponse
  • SaslAuthenticateResponse

This issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. We advise the Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.

AnalysisAI

Apache Kafka's NetworkClient component logs entire request and response payloads at DEBUG level, exposing sensitive authentication credentials, delegation tokens, and configuration data in plaintext logs. This affects Kafka versions 0.11.0 through 3.9.1 and 4.0.0 across the broker and client libraries. While DEBUG logging is not enabled by default (INFO is the standard), organizations that enable DEBUG logging for troubleshooting inadvertently create persistent records of authentication material and secrets that can be harvested by local log readers or accessed via log aggregation systems. CVSS 5.3 reflects low network attack surface (requires prior DEBUG enablement), but SSVC rates this as automatable with partial technical impact, suitable for prioritization in environments using centralized logging.

Technical ContextAI

The vulnerability resides in Apache Kafka's NetworkClient component, which handles protocol communication between brokers and clients using the Kafka wire protocol. The affected APIs include authentication mechanisms (SaslAuthenticateRequest/Response), credential management (AlterUserScramCredentialsRequest), and delegation token operations (ExpireDelegationToken, RenewDelegationToken, describeDelegationTokenResponse, createDelegationTokenResponse), plus configuration changes (AlterConfigsRequest, IncrementalAlterConfigsRequest). These request/response objects contain unmasked authentication tokens, SCRAM passwords, delegation token values, and configuration parameters. The root cause (CWE-533: Sensitive Data Exposure in Logs) stems from the use of generic object serialization in logging calls without field-level filtering or redaction. When a developer enables DEBUG logging for network packet analysis, the NetworkClient's toString() or logging framework introspection captures the entire object graph, bypassing any field-level protection. CPE identifiers apache_kafka and apache_kafka_clients confirm both broker and client libraries are vulnerable.

RemediationAI

Upgrade immediately to Apache Kafka 3.9.2 or later, or 4.0.1 or later, which implement field-level redaction of sensitive data in DEBUG logs (authentication tokens, credentials, and delegation tokens are masked or filtered from log output). For organizations unable to patch immediately, enforce the following compensating controls: (1) Disable DEBUG logging in production by ensuring log4j or logback configuration is set to INFO level or higher (trade-off: reduced visibility for network troubleshooting, but eliminates data exposure surface), (2) Restrict file system access to Kafka server logs via OS-level permissions (umask 0077 or equivalent ACLs so only Kafka process owner and root can read logs) (trade-off: operational complexity for multi-user systems), (3) If using centralized log aggregation (ELK, Splunk, Datadog), configure ingestion filters to redact lines containing 'SaslAuthenticate', 'AlterUserScram', 'DelegationToken', or 'AlterConfigs' before storage (trade-off: requires log pipeline reconfiguration and may miss variants), (4) Rotate Kafka logs frequently (e.g., daily) and delete logs older than 7 days to reduce the window of exposure (trade-off: loss of historical audit trail). See Apache advisory at https://kafka.apache.org/cve-list and https://lists.apache.org/thread/pz5g4ky3h0k91tfd14p0dzqjp80960kl for details.

Vendor StatusVendor

SUSE

Severity: Moderate

Share

CVE-2026-33558 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy