PatchSiren cyber security CVE debrief
CVE-2026-27134 strimzi CVE debrief
The Strimzi Kafka Operator is vulnerable to an mTLS authentication bypass due to incorrect configuration of trusted certificates for mTLS authentication on internal and user-configured listeners. This issue affects users with a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs. The vulnerability has been fixed in version 0.50.1. Users can work around this issue by providing only the single CA that should be used instead of the full CA chain.
- Vendor
- strimzi
- Product
- strimzi-kafka-operator
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-21
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-02-21
- Advisory updated
- 2026-06-30
Who should care
Users of Strimzi Kafka Operator versions 0.49.0 through 0.50.0 who utilize a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs should be aware of this vulnerability. This includes organizations using Strimzi for Apache Kafka clusters on Kubernetes or OpenShift. Users of Strimzi-managed Cluster and Clients CAs, or those with single CA configurations, are not affected.
Technical summary
The Strimzi Kafka Operator incorrectly configures trusted certificates for mTLS authentication, allowing users with certificates signed by any CA in a custom Cluster or Clients CA chain to authenticate. This issue arises from a flawed configuration that trusts all CAs in a multistage CA chain. The vulnerability, fixed in version 0.50.1, specifically impacts users with custom CA configurations involving multiple CAs. A workaround involves providing only the single CA for authentication.
Defensive priority
High priority should be given to updating Strimzi Kafka Operator to version 0.50.1 or applying the workaround for users with custom Cluster or Clients CA configurations involving multiple CAs. Organizations should assess their current configurations to determine if they are vulnerable.
Recommended defensive actions
- Update Strimzi Kafka Operator to version 0.50.1 or later.
- For users with custom Cluster or Clients CA configurations involving multiple CAs, provide only the single CA that should be used for authentication instead of the full CA chain.
- Review and update mTLS authentication configurations for internal and user-configured listeners.
- Assess current Strimzi Kafka Operator configurations to determine if they are vulnerable.
- Monitor for any unauthorized authentication attempts using custom CA chains.
Evidence notes
The CVE-2026-27134 vulnerability was publicly disclosed on February 21, 2026, and last modified on June 30, 2026. The issue affects Strimzi Kafka Operator versions 0.49.0 through 0.50.0. The vulnerability has a CVSS score of 8.1 and is considered HIGH severity. Multiple sources, including NVD and Red Hat, have documented this vulnerability.
Official resources
-
CVE-2026-27134 CVE record
CVE.org
-
CVE-2026-27134 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.