New Kafka flaws disclosed
- Security researchers disclosed fresh Kafka vulnerabilities that may let brokers skip token checks or leak info. - The issues are tracked as CVE‑2026‑33557 (missing JWT validation) and CVE‑2026‑33558 (information exposure). - Broker compromises like these can enable lateral movement into downstream services, so operators should prioritize fixes. (x.com)
Apache Kafka disclosed two new security flaws on April 17, including one that can let a broker accept forged login tokens. (kafka.apache.org) Kafka is software that moves data between apps in real time, so its brokers act like traffic hubs for messages, credentials, and service-to-service access. Apache says the new issues are tracked as CVE-2026-33557 and CVE-2026-33558. (kafka.apache.org, kafka.apache.org) The more serious bug, CVE-2026-33557, affects brokers running Kafka 4.1.0 through 4.1.1 with the OAUTHBEARER login method enabled on the server side. Apache said the default validator in those versions accepted JSON Web Tokens without checking signature, issuer, or audience. (kafka.apache.org, openwall.com) A JSON Web Token is a signed digital badge that tells a service who a user is. Apache said an attacker could mint a token from any issuer, set `preferred_username` to any user, and have the broker accept it. (openwall.com) The second flaw, CVE-2026-33558, is an information-exposure bug in Kafka’s client software rather than the broker itself. Apache said the `NetworkClient` component can dump full requests and responses into logs when operators turn DEBUG logging on, exposing sensitive data that is not written at the default INFO level. (kafka.apache.org) Apache listed affected client versions for CVE-2026-33558 as 0.11.0 through 3.9.1 and 4.0.0, with fixes in 3.9.2, 4.0.1, 4.1.0 and later. It listed the token-validation bug as fixed in 4.1.2 and 4.2.0 and later. (kafka.apache.org, kafka.apache.org, kafka.apache.org, kafka.apache.org) For users who cannot upgrade immediately, Apache told operators on Kafka 4.1.0 or 4.1.1 to set `sasl.oauthbearer.jwt.validator.class` explicitly to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator`. For the logging issue, Apache advised keeping the `NetworkClient` logger at INFO or higher unless DEBUG output is required. (openwall.com, kafka.apache.org) The timing matters because Kafka often sits between identity systems, internal applications, and downstream data services. A broker that accepts forged identities or leaks authentication exchanges into logs can give an intruder a path into systems beyond Kafka itself. (kafka.apache.org, kafka.apache.org) Apache credited Pavel Romanov with finding CVE-2026-33557. The project’s security page says researchers should report Kafka flaws privately to the maintainers before public disclosure. (openwall.com, kafka.apache.org) For operators, the immediate checklist is narrow: check whether brokers run 4.1.0 or 4.1.1 with OAUTHBEARER enabled, check whether any clients still use DEBUG logging, and patch to fixed releases. (kafka.apache.org, openwall.com)
