CVE-2026-33558
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Information exposure vulnerability has been identified in Apache Kafka.
The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are:
AlterConfigsRequest
AlterUserScramCredentialsRequest
ExpireDelegationTokenRequest
IncrementalAlterConfigsRequest
RenewDelegationTokenRequest
SaslAuthenticateRequest
createDelegationTokenResponse
describeDelegationTokenResponse
SaslAuthenticateResponse
This issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. We advise the Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache Kafka | 0.11.0 <= 3.9.1 | affected |
| Apache Software Foundation | Apache Kafka | 4.0.0 | affected |
| Apache Software Foundation | Apache Kafka Clients | 0.11.0 <= 3.9.1 | affected |
| Apache Software Foundation | Apache Kafka Clients | 4.0.0 | affected |
Weaknesses
- CWE-533: CWE-533 DEPRECATED: Information Exposure Through Server Log Files
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.