CVE-2026-33557
Apache · Kafka
A JWT validation flaw in Apache Kafka's OAuth bearer authentication allows unauthenticated attackers to impersonate any user by providing forged tokens.
Executive summary
Apache Kafka versions 4.1.0 and 4.1.1 are vulnerable to an authentication bypass that permits unauthorized users to gain full access to the broker.
Vulnerability
The default JWT validator fails to perform cryptographic signature, issuer, or audience verification. This allows an unauthenticated attacker to supply a crafted JWT with arbitrary claims to successfully authenticate as any user.
Business impact
The exploitation of this vulnerability poses a critical risk to data integrity and confidentiality. With a CVSS score of 9.1, this flaw allows an attacker to masquerade as privileged users, potentially leading to unauthorized data exfiltration, service disruption, or administrative control over the Kafka cluster.
Remediation
Immediate Action: Upgrade to Apache Kafka version 4.1.2 or 4.2.0 or later. If an immediate upgrade is not feasible, explicitly set the sasl.oauthbearer.jwt.validator.class configuration to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator.
Proactive Monitoring: Monitor authentication logs for suspicious patterns or unauthorized user sessions that do not align with expected identity provider signatures.
Compensating Controls: Implement strict network-level access controls to limit communication with the Kafka broker to known, trusted IP addresses while the patch is being applied.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the critical nature of this authentication bypass, organizations must prioritize patching or configuration changes immediately. Failure to address this vulnerability allows trivial impersonation of legitimate users, effectively nullifying the security posture of the Kafka infrastructure.