PatchSiren cyber security CVE debrief
CVE-2026-33557 Apache CVE debrief
A critical security vulnerability has been identified in Apache Kafka, affecting versions 4.1.0 and 4.1.1. The vulnerability is due to the default configuration of the `sasl.oauthbearer.jwt.validator.class` property, which allows any JWT token to be accepted without validation. This could allow an attacker to generate a JWT token with any issuer and `preferred_username` set to any user, potentially leading to unauthorized access. Users of Kafka versions 4.1.0 and 4.1.1 are advised to set the `sasl.oauthbearer.jwt.validator.class` property to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` to mitigate this vulnerability. This issue is fixed in Kafka versions 4.1.2 and 4.2.0.
- Vendor
- Apache
- Product
- Kafka
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-20
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-20
- Advisory updated
- 2026-06-30
Who should care
Apache Kafka users, administrators, and security teams should be aware of this vulnerability and take necessary steps to mitigate it. This includes Kafka users who have not upgraded to versions 4.1.2 or 4.2.0, and those who are using the default configuration of the `sasl.oauthbearer.jwt.validator.class` property.
Technical summary
The vulnerability is caused by the default configuration of the `sasl.oauthbearer.jwt.validator.class` property in Apache Kafka versions 4.1.0 and 4.1.1. The property is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`, which accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token with any issuer and `preferred_username` set to any user, potentially leading to unauthorized access. The CVSS score for this vulnerability is 9.1, indicating a critical severity.
Defensive priority
High priority should be given to mitigating this vulnerability, as it could lead to unauthorized access to Kafka clusters. Kafka users should update to versions 4.1.2 or 4.2.0, or set the `sasl.oauthbearer.jwt.validator.class` property to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` to validate JWT tokens properly.
Recommended defensive actions
- Update to Kafka version 4.1.2 or 4.2.0
- Set the `sasl.oauthbearer.jwt.validator.class` property to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator`
- Review and update Kafka configurations to ensure proper validation of JWT tokens
- Monitor Kafka clusters for suspicious activity
- Implement additional security measures, such as authentication and authorization
Evidence notes
The vulnerability was reported by Apache Kafka security team and is documented in the Apache Kafka CVE list. The NVD entry for this vulnerability provides additional information on the CVSS score and vector.
Official resources
-
CVE-2026-33557 CVE record
CVE.org
-
CVE-2026-33557 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
-
Source reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.