Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4, improper access control allows disclosure of password hash. This issue has been patched in version 2.10.4.
AnalysisAI
Improper access control in Klaw, the Aiven-Open self-service Apache Kafka governance portal, exposes user password hashes to unauthenticated remote attackers in all versions prior to 2.10.4. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is exploitable over the network without any authentication or user interaction, making it trivially reachable in internet-exposed deployments. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the unauthenticated network vector lowers the bar significantly for opportunistic attackers seeking credential material.
Technical ContextAI
Klaw (CPE: cpe:2.3:a:aiven-open:klaw:*:*:*:*:*:*:*:*) is a web-based, self-service governance portal for Apache Kafka topic management, maintained by Aiven-Open. The root cause is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating an access control boundary failure where one or more API endpoints or data retrieval paths fail to enforce authentication or authorization checks before returning sensitive data. In this case, the sensitive data is a user's password hash - a derivative of credentials that, depending on the hashing algorithm in use (e.g., bcrypt, MD5, SHA-1), may be subject to offline cracking. The CVSS 4.0 metric SC:N (no impact on subsequent/system scope) suggests the exposure is confined to the Klaw application's own data store rather than the underlying Kafka infrastructure.
RemediationAI
The primary fix is to upgrade Klaw to version 2.10.4, which was released by Aiven-Open and confirmed to contain the patch for this issue (see https://github.com/Aiven-Open/klaw/releases/tag/v2.10.4 and the full changelog at https://github.com/Aiven-Open/klaw/compare/v2.10.3...v2.10.4). As a compensating control prior to patching, restrict network access to the Klaw portal to trusted IP ranges or internal networks only, using firewall rules or a reverse proxy with IP allowlisting - this directly counters the AV:N attack vector and prevents unauthenticated internet-sourced requests from reaching the vulnerable endpoint. If Klaw is already internet-exposed and patching is delayed, consider temporarily disabling external access entirely, accepting the operational impact of reduced self-service availability. After patching, conduct a password reset for all Klaw users as a precaution, since it cannot be determined without forensic review whether hashes were accessed prior to remediation.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33962