PT-2026-33633 · Apache+1 · Apache Kafka+1

·

CVE-2026-33557

·

Published

2026-04-17

·

Updated

2026-07-13

CVSS v2.0

9.4

High

VectorAV:N/AC:L/Au:N/C:C/I:C/A:N
Name of the Vulnerable Software and Affected Versions Apache Kafka versions 4.1.0 through 4.1.1
Description An authentication bypass exists because the default broker property sasl.oauthbearer.jwt.validator.class is set to org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator. This class fails to validate JSON Web Token (JWT) signatures, issuers, or audiences. A remote attacker can exploit this by crafting a malicious JWT token with an arbitrary preferred username to impersonate any user and gain unauthorized access to the Kafka broker. Approximately 9,000 instances have been identified globally.
Recommendations For versions 4.1.0 through 4.1.1, set the sasl.oauthbearer.jwt.validator.class configuration to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator explicitly. Update to version 4.1.2 or 4.2.0 and later.

Exploit

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-09403
BIT-KAFKA-2026-33557
CVE-2026-33557
GHSA-28JG-CGG7-J4WC

Affected Products

Apache Kafka
Red Os