PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-33557 Apache CVE debrief

A critical security vulnerability has been identified in Apache Kafka, affecting versions 4.1.0 and 4.1.1. The vulnerability is due to the default configuration of the `sasl.oauthbearer.jwt.validator.class` property, which allows any JWT token to be accepted without validation. This could allow an attacker to generate a JWT token with any issuer and `preferred_username` set to any user, potentially leading to unauthorized access. Users of Kafka versions 4.1.0 and 4.1.1 are advised to set the `sasl.oauthbearer.jwt.validator.class` property to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` to mitigate this vulnerability. This issue is fixed in Kafka versions 4.1.2 and 4.2.0.

Vendor
Apache
Product
Kafka
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-20
Original CVE updated
2026-06-30
Advisory published
2026-04-20
Advisory updated
2026-06-30

Who should care

Apache Kafka users, administrators, and security teams should be aware of this vulnerability and take necessary steps to mitigate it. This includes Kafka users who have not upgraded to versions 4.1.2 or 4.2.0, and those who are using the default configuration of the `sasl.oauthbearer.jwt.validator.class` property.

Technical summary

The vulnerability is caused by the default configuration of the `sasl.oauthbearer.jwt.validator.class` property in Apache Kafka versions 4.1.0 and 4.1.1. The property is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`, which accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token with any issuer and `preferred_username` set to any user, potentially leading to unauthorized access. The CVSS score for this vulnerability is 9.1, indicating a critical severity.

Defensive priority

High priority should be given to mitigating this vulnerability, as it could lead to unauthorized access to Kafka clusters. Kafka users should update to versions 4.1.2 or 4.2.0, or set the `sasl.oauthbearer.jwt.validator.class` property to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` to validate JWT tokens properly.

Recommended defensive actions

  • Update to Kafka version 4.1.2 or 4.2.0
  • Set the `sasl.oauthbearer.jwt.validator.class` property to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator`
  • Review and update Kafka configurations to ensure proper validation of JWT tokens
  • Monitor Kafka clusters for suspicious activity
  • Implement additional security measures, such as authentication and authorization

Evidence notes

The vulnerability was reported by Apache Kafka security team and is documented in the Apache Kafka CVE list. The NVD entry for this vulnerability provides additional information on the CVSS score and vector.

Official resources

This article is AI-assisted and based on the supplied source corpus.