Skip to main content

Apache Kafka EUVDEUVD-2026-33904

| CVE-2026-41115 MEDIUM
Improper Authorization (CWE-285)
2026-06-02 apache GHSA-p5r3-m3w4-4fj6
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 17:29 vuln.today
CVSS changed
Jun 02, 2026 - 17:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 02, 2026 - 08:56 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 02, 2026 - 08:56 nvd
MEDIUM 4.3

DescriptionCVE.org

An improper authorization vulnerability has been identified in Apache Kafka.

The implementation of the CONSUMER_GROUP_DESCRIBE (69) API validates the DESCRIBE operation on the GROUP resource instead of the READ operation that documented in the official kafka documentation and the KIP-848. This discrepancy can result in misconfigured Access Control Lists (ACLs) and unintended security postures, like granting READ permission to users who should not be able to join/sync groups, or allowing users without READ permission (but with DESCRIBE permission) to access sensitive group metadata.

The correct permission for CONSUMER_GROUP_DESCRIBE API is DESCRIBE GROUP so the current implementation is correct. However, the kafka documentation as well as the KIP-848 will be updated to reflect the correct permission. We advise the Kafka users to review existing group ACLs to ensure the principle of least privilege.

AnalysisAI

Improper authorization in Apache Kafka 4.0.0-4.3.0 arises from a discrepancy between the documented ACL requirement and the actual runtime behavior of the CONSUMER_GROUP_DESCRIBE (API key 69) endpoint. The API checks for DESCRIBE permission on the GROUP resource at runtime, while official Kafka documentation and KIP-848 specify READ as the required operation - causing administrators who followed the documentation to configure ACLs that either over-grant READ access to users who should only observe group metadata, or under-restrict DESCRIBE-only users who can nonetheless access sensitive consumer group state. No public exploit has been identified at time of analysis, and EPSS exploitation probability is 0.02% (4th percentile), indicating negligible opportunistic exploitation risk.

Technical ContextAI

Apache Kafka's authorization model uses Access Control Lists (ACLs) tied to resource types (GROUP, TOPIC, CLUSTER) and operations (READ, WRITE, DESCRIBE, etc.). KIP-848, which introduced the next-generation consumer group protocol, documented that the CONSUMER_GROUP_DESCRIBE API (opcode 69) should require READ on the GROUP resource. However, the actual Kafka broker implementation enforces DESCRIBE on GROUP instead. This CWE-285 (Improper Authorization) class flaw means the enforced permission boundary does not match the intended security contract documented by the vendor and the KIP specification. The affected CPE is cpe:2.3:a:apache_software_foundation:apache_kafka:*:*:*:*:*:*:*:* covering versions 4.0.0 through 4.3.0, which correspond to the release window of the KIP-848 next-gen consumer group implementation.

RemediationAI

The Apache Kafka vendor states the runtime implementation is correct (DESCRIBE on GROUP) and will update the official documentation and KIP-848 specification to reflect this. There is no code patch required. The primary remediation action is an ACL audit: operators should review all existing GROUP resource ACLs to verify they conform to the principle of least privilege under the correct permission model (DESCRIBE, not READ). Specifically, revoke READ permissions granted to principals solely for CONSUMER_GROUP_DESCRIBE access if those principals do not legitimately require group join/sync operations. Additionally, restrict DESCRIBE-only principals who should not have visibility into sensitive consumer group metadata. Reference the vendor advisory at https://kafka.apache.org/cve-list for updated ACL guidance once documentation is revised. No patch version upgrade is required; the fix is entirely operational.

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-33904 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy