Skip to main content

Klaw EUVDEUVD-2026-33961

| CVE-2026-44367 LOW
Improper Handling of Case Sensitivity (CWE-178)
2026-06-02 GitHub_M
2.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.7 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 02, 2026 - 17:01 EUVD
Source Code Evidence Fetched
Jun 02, 2026 - 16:02 vuln.today
Analysis Generated
Jun 02, 2026 - 16:02 vuln.today

DescriptionGitHub Advisory

Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4, a vulnerability exists in the user registration and login mechanisms due to inconsistent handling of username case sensitivity, leading to a targeted Denial of Service (DoS) and complete account lockout. This issue has been patched in version 2.10.4.

AnalysisAI

Klaw, Aiven-Open's self-service Apache Kafka topic management portal, is vulnerable to targeted account lockout and Denial of Service via inconsistent case sensitivity handling in its user registration and login mechanisms, affecting all releases prior to v2.10.4. An attacker already holding high-privileged access (PR:H per CVSS vector) can register a username that is a case variant of an existing account, causing the legitimate account to become inaccessible. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the CVSS score of 2.7 (Low) accurately reflects the narrow, high-privilege-dependent attack surface.

Technical ContextAI

The root cause is CWE-178 (Improper Handling of Case Sensitivity): Klaw's registration and login flows apply different case-normalization logic to usernames, creating a state where a case-variant of an existing username can be introduced as a new account, conflicting with the original during authentication. Klaw (CPE: cpe:2.3:a:aiven-open:klaw:*:*:*:*:*:*:*:*) is a Java-based governance portal for Apache Kafka, where user accounts represent meaningful access-control principals for topic and cluster management. Because usernames serve as identity anchors for RBAC within Kafka governance workflows, an inconsistency in case handling at the identity layer has direct availability consequences for targeted users.

RemediationAI

Upgrade Klaw to version 2.10.4, which is the vendor-released patch confirmed by both the GitHub release tag (https://github.com/Aiven-Open/klaw/releases/tag/v2.10.4) and the security advisory (GHSA-75rx-m9vh-mm9p). The full diff from v2.10.3 is available at https://github.com/Aiven-Open/klaw/compare/v2.10.3...v2.10.4. If an immediate upgrade is not feasible, restrict high-privileged Klaw roles strictly to trusted personnel, since exploitation requires PR:H credentials - reducing the administrative account surface reduces the exploitable population. Additionally, audit user registration logs for username entries that differ only by case, which would indicate either accidental misconfiguration or attempted exploitation. No formal workarounds are documented in available vendor references.

Share

EUVD-2026-33961 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy