EUVD-2026-23846
GHSA-28jg-cgg7-j4wc
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionNVD
A possible security vulnerability has been identified in Apache Kafka.
By default, the broker property sasl.oauthbearer.jwt.validator.class is set to org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the preferred_username set to any user, and the broker will accept it.
We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config sasl.oauthbearer.jwt.validator.class to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.
AnalysisAI
Apache Kafka 4.1.0 and 4.1.1 accept forged JWT tokens without signature validation, allowing remote unauthenticated attackers to authenticate as any user and gain unauthorized access to Kafka resources. The default SASL/OAUTHBEARER validator (DefaultJwtValidator) fails to verify token signatures, issuers, or audiences, enabling complete authentication bypass. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify and inventory all Kafka deployments running versions 4.1.0 or 4.1.1 using asset management tools; isolate affected clusters from untrusted networks if possible. Within 7 days: Apply vendor-issued patches when available or implement network segmentation restricting Kafka broker access to known trusted clients only; disable SASL/OAUTHBEARER authentication temporarily if alternative SASL mechanisms (PLAINTEXT, SCRAM) are available. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today