cvelistv5 - cve-2026-33557

CVE-2026-33557 (GCVE-0-2026-33557)

Vulnerability from cvelistv5

Published

2026-04-20 13:28

Modified

2026-04-20 14:30

Severity ?

CWE

CWE-1285 - Improper Validation of Specified Index, Position, or Offset in Input

Summary

A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the `preferred_username` set to any user, and the broker will accept it. We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.

References

URL

Tags

	https://kafka.apache.org/cve-list	vendor-advisory
	https://lists.apache.org/thread/v57o00hm6yszdpdnvqx2ss4561yh953h	mailing-list

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Kafka	Version: 4.1.0 ≤ 4.1.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-20T13:38:51.117Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/17/2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-33557",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-20T14:29:31.424817Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-20T14:30:30.936Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Kafka",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "4.1.1",
              "status": "affected",
              "version": "4.1.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "\u041f\u0430\u0432\u0435\u043b \u0420\u043e\u043c\u0430\u043d\u043e\u0432 \u003cpromanov1994@gmail.com\u003e"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eA possible security vulnerability has been identified in Apache Kafka.\u003c/div\u003e\u003cdiv\u003eBy default, the broker property `sasl.oauthbearer.jwt.validator.class` is\u0026nbsp;set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its\u0026nbsp;signature, issuer, or audience. An attacker can generate a JWT\u0026nbsp;token from any issuer with the `preferred_username` set to any user, and the broker will accept it.\u003c/div\u003e\u003cdiv\u003eWe advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.\u003c/div\u003e\u003cbr\u003e"
            }
          ],
          "value": "A possible security vulnerability has been identified in Apache Kafka.\n\nBy default, the broker property `sasl.oauthbearer.jwt.validator.class` is\u00a0set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its\u00a0signature, issuer, or audience. An attacker can generate a JWT\u00a0token from any issuer with the `preferred_username` set to any user, and the broker will accept it.\n\nWe advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1285",
              "description": "CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-20T13:28:43.669Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://kafka.apache.org/cve-list"
        },
        {
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread/v57o00hm6yszdpdnvqx2ss4561yh953h"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-33557",
    "datePublished": "2026-04-20T13:28:43.669Z",
    "dateReserved": "2026-03-23T03:14:53.527Z",
    "dateUpdated": "2026-04-20T14:30:30.936Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/04/17/2\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-04-20T13:38:51.117Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33557\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-20T14:29:31.424817Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-20T14:28:04.017Z\"}}], \"cna\": {\"title\": \"Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"\\u041f\\u0430\\u0432\\u0435\\u043b \\u0420\\u043e\\u043c\\u0430\\u043d\\u043e\\u0432 \u003cpromanov1994@gmail.com\u003e\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"important\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Kafka\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.1.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.1.1\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://kafka.apache.org/cve-list\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://lists.apache.org/thread/v57o00hm6yszdpdnvqx2ss4561yh953h\", \"tags\": [\"mailing-list\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A possible security vulnerability has been identified in Apache Kafka.\\n\\nBy default, the broker property `sasl.oauthbearer.jwt.validator.class` is\\u00a0set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its\\u00a0signature, issuer, or audience. An attacker can generate a JWT\\u00a0token from any issuer with the `preferred_username` set to any user, and the broker will accept it.\\n\\nWe advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003eA possible security vulnerability has been identified in Apache Kafka.\u003c/div\u003e\u003cdiv\u003eBy default, the broker property `sasl.oauthbearer.jwt.validator.class` is\u0026nbsp;set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its\u0026nbsp;signature, issuer, or audience. An attacker can generate a JWT\u0026nbsp;token from any issuer with the `preferred_username` set to any user, and the broker will accept it.\u003c/div\u003e\u003cdiv\u003eWe advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.\u003c/div\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1285\", \"description\": \"CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2026-04-20T13:28:43.669Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33557\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-20T14:30:30.936Z\", \"dateReserved\": \"2026-03-23T03:14:53.527Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2026-04-20T13:28:43.669Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CERTFR-2026-AVI-0461

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans Apache Kafka. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données et un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Apache	Kafka Clients	Kafka Clients versions antérieures à 3.9.2
Apache	Kafka Clients	Kafka Clients versions 4.1.x antérieures à 4.1.2
Apache	Kafka	Kafka versions 4.1.x antérieures à 4.1.2
Apache	Kafka Clients	Kafka Clients versions 4.0.x antérieures à 4.0.1

References

Title

Publication Time

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted