Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Information exposure vulnerability has been identified in Apache Kafka.
The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are:
- AlterConfigsRequest
- AlterUserScramCredentialsRequest
- ExpireDelegationTokenRequest
- IncrementalAlterConfigsRequest
- RenewDelegationTokenRequest
- SaslAuthenticateRequest
- createDelegationTokenResponse
- describeDelegationTokenResponse
- SaslAuthenticateResponse
This issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. We advise the Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.
AnalysisAI
Apache Kafka's NetworkClient component logs entire request and response payloads at DEBUG level, exposing sensitive authentication credentials, delegation tokens, and configuration data in plaintext logs. This affects Kafka versions 0.11.0 through 3.9.1 and 4.0.0 across the broker and client libraries. While DEBUG logging is not enabled by default (INFO is the standard), organizations that enable DEBUG logging for troubleshooting inadvertently create persistent records of authentication material and secrets that can be harvested by local log readers or accessed via log aggregation systems. CVSS 5.3 reflects low network attack surface (requires prior DEBUG enablement), but SSVC rates this as automatable with partial technical impact, suitable for prioritization in environments using centralized logging.
Technical ContextAI
The vulnerability resides in Apache Kafka's NetworkClient component, which handles protocol communication between brokers and clients using the Kafka wire protocol. The affected APIs include authentication mechanisms (SaslAuthenticateRequest/Response), credential management (AlterUserScramCredentialsRequest), and delegation token operations (ExpireDelegationToken, RenewDelegationToken, describeDelegationTokenResponse, createDelegationTokenResponse), plus configuration changes (AlterConfigsRequest, IncrementalAlterConfigsRequest). These request/response objects contain unmasked authentication tokens, SCRAM passwords, delegation token values, and configuration parameters. The root cause (CWE-533: Sensitive Data Exposure in Logs) stems from the use of generic object serialization in logging calls without field-level filtering or redaction. When a developer enables DEBUG logging for network packet analysis, the NetworkClient's toString() or logging framework introspection captures the entire object graph, bypassing any field-level protection. CPE identifiers apache_kafka and apache_kafka_clients confirm both broker and client libraries are vulnerable.
RemediationAI
Upgrade immediately to Apache Kafka 3.9.2 or later, or 4.0.1 or later, which implement field-level redaction of sensitive data in DEBUG logs (authentication tokens, credentials, and delegation tokens are masked or filtered from log output). For organizations unable to patch immediately, enforce the following compensating controls: (1) Disable DEBUG logging in production by ensuring log4j or logback configuration is set to INFO level or higher (trade-off: reduced visibility for network troubleshooting, but eliminates data exposure surface), (2) Restrict file system access to Kafka server logs via OS-level permissions (umask 0077 or equivalent ACLs so only Kafka process owner and root can read logs) (trade-off: operational complexity for multi-user systems), (3) If using centralized log aggregation (ELK, Splunk, Datadog), configure ingestion filters to redact lines containing 'SaslAuthenticate', 'AlterUserScram', 'DelegationToken', or 'AlterConfigs' before storage (trade-off: requires log pipeline reconfiguration and may miss variants), (4) Rotate Kafka logs frequently (e.g., daily) and delete logs older than 7 days to reduce the window of exposure (trade-off: loss of historical audit trail). See Apache advisory at https://kafka.apache.org/cve-list and https://lists.apache.org/thread/pz5g4ky3h0k91tfd14p0dzqjp80960kl for details.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: ModerateShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23849