PT-2026-33633 · Apache+1 · Apache Kafka+1
CVSS v2.0
9.4
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Kafka versions 4.1.0 through 4.1.1
Description
An authentication bypass exists because the default broker property
sasl.oauthbearer.jwt.validator.class is set to org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator. This class fails to validate JSON Web Token (JWT) signatures, issuers, or audiences. A remote attacker can exploit this by crafting a malicious JWT token with an arbitrary preferred username to impersonate any user and gain unauthorized access to the Kafka broker. Approximately 9,000 instances have been identified globally.Recommendations
For versions 4.1.0 through 4.1.1, set the
sasl.oauthbearer.jwt.validator.class configuration to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator explicitly.
Update to version 4.1.2 or 4.2.0 and later.Exploit
Fix
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Apache Kafka
Red Os