PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-27134 strimzi CVE debrief

The Strimzi Kafka Operator is vulnerable to an mTLS authentication bypass due to incorrect configuration of trusted certificates for mTLS authentication on internal and user-configured listeners. This issue affects users with a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs. The vulnerability has been fixed in version 0.50.1. Users can work around this issue by providing only the single CA that should be used instead of the full CA chain.

Vendor
strimzi
Product
strimzi-kafka-operator
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-21
Original CVE updated
2026-06-30
Advisory published
2026-02-21
Advisory updated
2026-06-30

Who should care

Users of Strimzi Kafka Operator versions 0.49.0 through 0.50.0 who utilize a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs should be aware of this vulnerability. This includes organizations using Strimzi for Apache Kafka clusters on Kubernetes or OpenShift. Users of Strimzi-managed Cluster and Clients CAs, or those with single CA configurations, are not affected.

Technical summary

The Strimzi Kafka Operator incorrectly configures trusted certificates for mTLS authentication, allowing users with certificates signed by any CA in a custom Cluster or Clients CA chain to authenticate. This issue arises from a flawed configuration that trusts all CAs in a multistage CA chain. The vulnerability, fixed in version 0.50.1, specifically impacts users with custom CA configurations involving multiple CAs. A workaround involves providing only the single CA for authentication.

Defensive priority

High priority should be given to updating Strimzi Kafka Operator to version 0.50.1 or applying the workaround for users with custom Cluster or Clients CA configurations involving multiple CAs. Organizations should assess their current configurations to determine if they are vulnerable.

Recommended defensive actions

  • Update Strimzi Kafka Operator to version 0.50.1 or later.
  • For users with custom Cluster or Clients CA configurations involving multiple CAs, provide only the single CA that should be used for authentication instead of the full CA chain.
  • Review and update mTLS authentication configurations for internal and user-configured listeners.
  • Assess current Strimzi Kafka Operator configurations to determine if they are vulnerable.
  • Monitor for any unauthorized authentication attempts using custom CA chains.

Evidence notes

The CVE-2026-27134 vulnerability was publicly disclosed on February 21, 2026, and last modified on June 30, 2026. The issue affects Strimzi Kafka Operator versions 0.49.0 through 0.50.0. The vulnerability has a CVSS score of 8.1 and is considered HIGH severity. Multiple sources, including NVD and Red Hat, have documented this vulnerability.

Official resources

This article is AI-assisted and based on the supplied source corpus.