CVE-2026-33558

Name of the Vulnerable Software and Affected Versions Apache Kafka versions prior to 3.9.2 Apache Kafka versions prior to 4.0.1

Description The NetworkClient component outputs complete request and response information when the log level is set to DEBUG. While the default log level is INFO, enabling DEBUG exposes sensitive data through the logs. Impacted requests and responses include 'AlterConfigsRequest', 'AlterUserScramCredentialsRequest', 'ExpireDelegationTokenRequest', 'IncrementalAlterConfigsRequest', 'RenewDelegationTokenRequest', 'SaslAuthenticateRequest', 'createDelegationTokenResponse', 'describeDelegationTokenResponse', and 'SaslAuthenticateResponse'.

Recommendations Upgrade to version 3.9.2 or later. Upgrade to version 4.0.1 or later. As a temporary workaround, ensure the log level for the NetworkClient component is not set to DEBUG.