Skip to main content

Klaw CVE-2026-45080

| EUVDEUVD-2026-33962 MEDIUM
Information Exposure (CWE-200)
2026-06-02 GitHub_M
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Source Code Evidence Fetched
Jun 02, 2026 - 18:08 vuln.today
Analysis Generated
Jun 02, 2026 - 18:08 vuln.today
Patch available
Jun 02, 2026 - 17:01 EUVD
CVSS changed
Jun 02, 2026 - 16:22 NVD
6.9 (MEDIUM)
CVE Published
Jun 02, 2026 - 15:30 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 02, 2026 - 15:30 nvd
MEDIUM 6.9

DescriptionGitHub Advisory

Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4, improper access control allows disclosure of password hash. This issue has been patched in version 2.10.4.

AnalysisAI

Improper access control in Klaw, the Aiven-Open self-service Apache Kafka governance portal, exposes user password hashes to unauthenticated remote attackers in all versions prior to 2.10.4. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is exploitable over the network without any authentication or user interaction, making it trivially reachable in internet-exposed deployments. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the unauthenticated network vector lowers the bar significantly for opportunistic attackers seeking credential material.

Technical ContextAI

Klaw (CPE: cpe:2.3:a:aiven-open:klaw:*:*:*:*:*:*:*:*) is a web-based, self-service governance portal for Apache Kafka topic management, maintained by Aiven-Open. The root cause is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating an access control boundary failure where one or more API endpoints or data retrieval paths fail to enforce authentication or authorization checks before returning sensitive data. In this case, the sensitive data is a user's password hash - a derivative of credentials that, depending on the hashing algorithm in use (e.g., bcrypt, MD5, SHA-1), may be subject to offline cracking. The CVSS 4.0 metric SC:N (no impact on subsequent/system scope) suggests the exposure is confined to the Klaw application's own data store rather than the underlying Kafka infrastructure.

RemediationAI

The primary fix is to upgrade Klaw to version 2.10.4, which was released by Aiven-Open and confirmed to contain the patch for this issue (see https://github.com/Aiven-Open/klaw/releases/tag/v2.10.4 and the full changelog at https://github.com/Aiven-Open/klaw/compare/v2.10.3...v2.10.4). As a compensating control prior to patching, restrict network access to the Klaw portal to trusted IP ranges or internal networks only, using firewall rules or a reverse proxy with IP allowlisting - this directly counters the AV:N attack vector and prevents unauthenticated internet-sourced requests from reaching the vulnerable endpoint. If Klaw is already internet-exposed and patching is delayed, consider temporarily disabling external access entirely, accepting the operational impact of reduced self-service availability. After patching, conduct a password reset for all Klaw users as a precaution, since it cannot be determined without forensic review whether hashes were accessed prior to remediation.

Share

CVE-2026-45080 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy