Skip to main content

Apache Kerby CVE-2026-57915

| EUVDEUVD-2026-39650 HIGH
Missing Critical Step in Authentication (CWE-304)
2026-06-26 apache GHSA-262p-fj3f-xh7v
7.3
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
7.3 HIGH

Remote unauthenticated AS-REQ with a crafted PA-DATA type (AV:N/AC:L/PR:N/UI:N); a bypassed-but-not-forged auth control yields partial C/I/A, no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Red Hat
7.3 HIGH
qualitative

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Jun 26, 2026 - 15:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 26, 2026 - 15:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 26, 2026 - 15:22 vuln.today
cvss_changed
CVSS changed
Jun 26, 2026 - 15:22 NVD
7.3 (HIGH)
Patch available
Jun 26, 2026 - 14:01 EUVD
Analysis Generated
Jun 26, 2026 - 13:20 vuln.today

DescriptionCVE.org

It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended to upgrade to version 2.1.2, which fixes this issue.

AnalysisAI

Authentication bypass in Apache Kerby before 2.1.2 lets remote attackers defeat Kerberos pre-authentication by submitting a PA-DATA element with an unrecognized or unsupported type, causing the KDC to skip the pre-auth check rather than reject the request. The flaw affects all Apache Kerby deployments below 2.1.2 acting as a Kerberos KDC/AS, and is fixed in version 2.1.2. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Kerby KDC over network
Delivery
Craft AS-REQ with unsupported PA-DATA type
Exploit
Server skips pre-authentication check
Execution
Obtain unauthorized AS response
Impact
Abuse weakened Kerberos authentication

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to an Apache Kerby instance (version < 2.1.2) operating as a Kerberos KDC/Authentication Service, and the ability to send an AS-REQ whose PA-DATA carries an unrecognized or unsupported type value - that crafted PA-DATA element is the specific trigger. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L = 7.3 High) indicates a network-reachable, low-complexity, unauthenticated attack with no user interaction, which is consistent with the description of sending a crafted PA-DATA to a KDC. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to a Kerby-backed KDC crafts an AS-REQ containing a PA-DATA element with an unrecognized or unsupported pre-auth type, causing the server to skip the pre-authentication check it should have enforced. Because the request is processed without proof of the client's long-term key, the attacker can interact with the authentication service in ways pre-auth is meant to prevent, all without credentials or user interaction (AV:N/AC:L/PR:N/UI:N). …
Remediation Vendor-released patch: upgrade Apache Kerby to version 2.1.2, which the project states fixes this issue; this is the primary and recommended remediation. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Apache Kerby below version 2.1.2 and document their criticality to your authentication infrastructure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-57915 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy