CVE-2025-61673

Name of the Vulnerable Software and Affected Versions Karapace versions 5.0.0 through 5.0.1

Description Karapace, an open-source implementation of Kafka REST and Schema Registry, has an issue where authentication checks are bypassed when OAuth 2.0 Bearer Token authentication is enabled. Specifically, if a request does not include an 'Authorization' header, the token validation process is skipped. This allows unauthorized access to Schema Registry endpoints that should require authentication, effectively disabling the OAuth authentication mechanism.

Recommendations Update to version 5.0.2 or later.