TL;DR
A researcher disclosed a Kafka authentication bypass in the OAUTHBEARER login path. It affects Apache Kafka 4.0.0 through 4.0.x. An attacker can replay a captured JWT long after it expires. Apache had not answered private reports, so the finder went public.
Why it matters
Kafka often sits at the heart of data pipelines. So a broker takeover exposes topic data and broker configuration. The researcher rates the flaw at CVSS 8.1, a high but self-assigned score. A stolen token grants produce and consume rights for the captured principal. It can also corrupt cluster state and disrupt availability.
Short-lived tokens usually limit this risk. In practice, though, an attacker can grab one from scraped logs, a leaked error response, or a compromised client host. That single token is enough.
How the attack works
The refactored 4.0.0 client checks a JWT’s not-before (nbf) claim for clock skew. However, it never enforces the expiration (exp) claim. As a result, an expired token with an old nbf still passes validation. Therefore, any historical session JWT keeps working indefinitely, even a leaked one. The attack needs no user interaction, only network reach to the broker and one previously valid token. The researcher published the report on the oss-security mailing list but withheld the proof-of-concept.
Affected versions and status
Only Apache Kafka 4.0.0 through 4.0.x use the vulnerable code path. Older 3.x releases stay unaffected, since they use a different authentication path. No public exploit and no in-the-wild abuse have been confirmed. Notably, Kafka’s OAUTHBEARER handling drew separate CVEs earlier in 2026, namely CVE-2026-33557 and CVE-2026-33558, which cover different flaws.
Mitigation
No official fix existed at disclosure. Until one ships, restrict network access to the SASL listener. Rotate JWT signing keys, and force clients to re-authenticate. Also watch for a 4.0.x security release from the Kafka team. This Kafka authentication bypass needs a code fix, so upgrade as soon as a patch lands.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.