CVE-2026-33557

Name of the Vulnerable Software and Affected Versions Apache Kafka versions 4.1.0 through 4.1.1

Description An issue exists in the OAUTHBEARER authentication mechanism where the broker property sasl.oauthbearer.jwt.validator.class defaults to org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator. This default validator accepts any JSON Web Token (JWT) without validating its signature, issuer, or audience. Consequently, an attacker can forge a JWT token from any issuer with the preferred username set to any user to impersonate them and bypass security policies.

Recommendations For versions 4.1.0 through 4.1.1, explicitly set the config sasl.oauthbearer.jwt.validator.class to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator. Update to version 4.1.2 or 4.2.0.