{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33557", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-23T03:14:53.527Z", "datePublished": "2026-04-20T13:28:43.669Z", "dateUpdated": "2026-04-20T14:30:30.936Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Kafka", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "4.1.1", "status": "affected", "version": "4.1.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "\u041f\u0430\u0432\u0435\u043b \u0420\u043e\u043c\u0430\u043d\u043e\u0432 <promanov1994@gmail.com>"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>A possible security vulnerability has been identified in Apache Kafka.</div><div>By default, the broker property `sasl.oauthbearer.jwt.validator.class` is&nbsp;set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its&nbsp;signature, issuer, or audience. An attacker can generate a JWT&nbsp;token from any issuer with the `preferred_username` set to any user, and the broker will accept it.</div><div>We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.</div><br>"}], "value": "A possible security vulnerability has been identified in Apache Kafka.\n\nBy default, the broker property `sasl.oauthbearer.jwt.validator.class` is\u00a0set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its\u00a0signature, issuer, or audience. An attacker can generate a JWT\u00a0token from any issuer with the `preferred_username` set to any user, and the broker will accept it.\n\nWe advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1285", "description": "CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-20T13:28:43.669Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://kafka.apache.org/cve-list"}, {"tags": ["mailing-list"], "url": "https://lists.apache.org/thread/v57o00hm6yszdpdnvqx2ss4561yh953h"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/17/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-20T13:38:51.117Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:29:31.424817Z", "id": "CVE-2026-33557", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:30:30.936Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/17/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-20T13:38:51.117Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-33557", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T14:29:31.424817Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:28:04.017Z"}}], "cna": {"title": "Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "\u041f\u0430\u0432\u0435\u043b \u0420\u043e\u043c\u0430\u043d\u043e\u0432 <promanov1994@gmail.com>"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Kafka", "versions": [{"status": "affected", "version": "4.1.0", "versionType": "semver", "lessThanOrEqual": "4.1.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://kafka.apache.org/cve-list", "tags": ["vendor-advisory"]}, {"url": "https://lists.apache.org/thread/v57o00hm6yszdpdnvqx2ss4561yh953h", "tags": ["mailing-list"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A possible security vulnerability has been identified in Apache Kafka.\n\nBy default, the broker property `sasl.oauthbearer.jwt.validator.class` is\u00a0set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its\u00a0signature, issuer, or audience. An attacker can generate a JWT\u00a0token from any issuer with the `preferred_username` set to any user, and the broker will accept it.\n\nWe advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.", "supportingMedia": [{"type": "text/html", "value": "<div>A possible security vulnerability has been identified in Apache Kafka.</div><div>By default, the broker property `sasl.oauthbearer.jwt.validator.class` is&nbsp;set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its&nbsp;signature, issuer, or audience. An attacker can generate a JWT&nbsp;token from any issuer with the `preferred_username` set to any user, and the broker will accept it.</div><div>We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.</div><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1285", "description": "CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-20T13:28:43.669Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33557", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:30:30.936Z", "dateReserved": "2026-03-23T03:14:53.527Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-20T13:28:43.669Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D700BB3-89AD-4488-8820-17C427E7983D", "versionEndExcluding": "4.1.2", "versionStartIncluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A possible security vulnerability has been identified in Apache Kafka.\n\nBy default, the broker property `sasl.oauthbearer.jwt.validator.class` is\u00a0set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its\u00a0signature, issuer, or audience. An attacker can generate a JWT\u00a0token from any issuer with the `preferred_username` set to any user, and the broker will accept it.\n\nWe advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token."}], "id": "CVE-2026-33557", "lastModified": "2026-04-22T14:14:52.030", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-20T14:16:18.780", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://kafka.apache.org/cve-list"}, {"source": "security@apache.org", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://lists.apache.org/thread/v57o00hm6yszdpdnvqx2ss4561yh953h"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2026/04/17/2"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1285"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "kafka: Apache Kafka: Authentication bypass via improper JWT validation", "id": "2459739", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459739"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "status": "draft"}, "cwe": "CWE-303", "details": ["A flaw was found in Apache Kafka. By default, the `sasl.oauthbearer.jwt.validator.class` property is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`, which does not validate JSON Web Token (JWT) signatures, issuers, or audiences. A remote attacker can exploit this by crafting a malicious JWT token with an arbitrary `preferred_username`, leading to an authentication bypass and unauthorized access to the Kafka broker."], "name": "CVE-2026-33557", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "openshift-serverless-1/kn-ekb-dispatcher-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "openshift-serverless-1/kn-ekb-receiver-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Not affected", "package_name": "kafka-clients", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "connect-api", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "kafka-clients", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Not affected", "package_name": "connect-api", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:apicurio_registry:3", "fix_state": "Not affected", "package_name": "connect-api", "product_name": "Red Hat build of Apicurio Registry 3"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Not affected", "package_name": "connect-api", "product_name": "Red Hat build of Debezium 2"}, {"cpe": "cpe:/a:redhat:debezium:3", "fix_state": "Affected", "package_name": "connect-api", "product_name": "Red Hat build of Debezium 3"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Not affected", "package_name": "kafka-clients", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "connect-api", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "kafka-clients", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "log4j:2/log4j", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "connect-api", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "kafka-clients", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "connect-api", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "kafka-clients", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "connect-api", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "kafka-clients", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "connect-api", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "kafka-clients", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "kafka-clients", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Not affected", "package_name": "connect-api", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Not affected", "package_name": "kafka-clients", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Affected", "package_name": "connect-api", "product_name": "streams for Apache Kafka 3"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Affected", "package_name": "kafka-clients", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-04-20T13:28:43Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33557\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33557\nhttp://www.openwall.com/lists/oss-security/2026/04/17/2\nhttps://kafka.apache.org/cve-list\nhttps://lists.apache.org/thread/v57o00hm6yszdpdnvqx2ss4561yh953h"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.1.0,4.1.1]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache Kafka", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "kafka", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-28T21:32:52.551482+00:00", "value": {"mitigation_remediation": ["Set sasl.oauthbearer.jwt.validator.class to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator in broker configuration.", "Upgrade to Kafka 4.1.2, 4.2.0 or later where the default validator has been fixed.", "Restart Kafka broker services so that the configuration change takes effect."], "summary": {"action": "Update config", "impact": "Unauthorized Access via JWT Forgery"}, "threat_synthesis": {"affected_systems": "Apache Software Foundation's Apache Kafka versions 4.1.0 and 4.1.1 are affected when the broker property sasl.oauthbearer.jwt.validator.class is set to its default value. The issue is resolved in Kafka 4.1.2 and later, including 4.2.0 and newer releases.", "description_and_impact": "The vulnerability is caused by the default JWT validator in Kafka brokers, which accepts any JWT token without verifying its signature, issuer, or audience. Because of this missing validation, an attacker can produce a forged token containing any desired username, and the broker will treat the token as legitimate. This flaw, a CWE-1285 Missing Credentials Validation weakness and a CWE-303 Missing Authentication weakness, can lead to unauthorized access to Kafka resources and impersonation of legitimate users.", "risk_and_exploitability": "The CVSS score is 9.1, and the EPSS score is < 1%, indicating a very low probability of exploitation, but the vulnerability is active for all brokers running the vulnerable default configuration. An attacker who can connect to the broker using the OAUTHBEARER mechanism can simply send a malicious JWT to gain full access. The vulnerability does not require local privileges and can be triggered over the network, making it a high\u2011risk security concern. It is not listed in the CISA KEV catalog."}}}}, "created": "2026-04-20T16:00:10.644568+00:00", "updated": "2026-04-28T21:45:26.134423+00:00", "vendors": ["apache", "apache$PRODUCT$kafka"]}