Apache · Apache Kafka · CVE-2026-41115
**Name of the Vulnerable Software and Affected Versions**
Apache Kafka (affected versions not specified)
**Description**
An improper authorization issue exists in the 'CONSUMER GROUP DESCRIBE' (69) API. The implementation validates the DESCRIBE operation on the GROUP resource, which contradicts the READ operation specified in the official documentation and KIP-848. This discrepancy can lead to misconfigured Access Control Lists (ACLs), potentially granting READ permissions to unauthorized users or allowing users with only DESCRIBE permissions to access sensitive group metadata.
**Recommendations**
Review existing group ACLs to ensure the principle of least privilege is maintained.