CVE-2026-33557

Summary

A possible security vulnerability has been identified in Apache Kafka.

By default, the broker property sasl.oauthbearer.jwt.validator.class is set to org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the preferred_username set to any user, and the broker will accept it.

We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config sasl.oauthbearer.jwt.validator.class to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Kafka4.1.0 <= 4.1.1affected

Weaknesses

  • CWE-1285: CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

kafka: Apache Kafka: Authentication bypass via improper JWT validation

Additional References

References