Do Son 
Security researchers disclose two distinct vulnerabilities affecting Apache Kafka, the cornerstone of high-performance data pipelines and mission-critical event streaming. While one flaw strikes at the heart of identity management with an “Important” severity rating, the second warns administrators about the dangers of verbose logging in production environments.
The most pressing issue, tracked as CVE-2026-33557, centers on a critical breakdown in authentication. For organizations that have configured sasl.enabled.mechanisms=OAUTHBEARER on the server side, a default setting may be leaving their brokers wide open.
By default, the system uses the DefaultJwtValidator class, which has been found to accept any JSON Web Token (JWT) without performing essential security checks. Specifically, the validator fails to verify the token’s signature, its issuer, or the intended audience.
This allows an attacker to generate their own JWT from any issuer. By simply setting the preferred_username field to any user of their choosing, an adversary can convince the broker to accept the token, effectively granting them unauthorized access to the stream.
While less severe than a direct authentication bypass, the second flaw, CVE-2026-33558, highlights a significant “Moderate” risk regarding sensitive data exposure.
Researchers discovered that the NetworkClient component, when set to the DEBUG log level, outputs the full content of entire requests and responses directly into the system logs. While the default log level is set to INFO, any administrator troubleshooting an issue by enabling DEBUG mode could inadvertently leak sensitive internal credentials or configuration data.
The list of impacted communications is extensive and includes sensitive operations such as SaslAuthenticateRequest, AlterConfigsRequest, and responses related to the creation and description of delegation tokens.
- Affected Versions: Apache Kafka Clients 0.11.0 through 3.9.1, and 4.0.0.
- Fixed Versions: 3.9.2, 4.0.1, and 4.1.0
Immediate Actions for Administrators:
- For CVE-2026-33557: If you are running versions 4.1.0 or 4.1.1, you should immediately set the configuration
sasl.oauthbearer.jwt.validator.classtoorg.apache.kafka.common.security.oauthbearer.BrokerJwtValidatorto enforce proper token checks. Alternatively, upgrade to version 4.1.2 or 4.2.0. - For CVE-2026-33558: Ensure that the
NetworkClientclass is set to INFO log level or higher in production environments. Upgrading to 3.9.2, 4.0.1, or 4.1.0 will also address the underlying logging behavior.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
