{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33557", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-23T03:14:53.527Z", "datePublished": "2026-04-20T13:28:43.669Z", "dateUpdated": "2026-04-20T14:30:30.936Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Kafka", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "4.1.1", "status": "affected", "version": "4.1.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "\u041f\u0430\u0432\u0435\u043b \u0420\u043e\u043c\u0430\u043d\u043e\u0432 <promanov1994@gmail.com>"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>A possible security vulnerability has been identified in Apache Kafka.</div><div>By default, the broker property `sasl.oauthbearer.jwt.validator.class` is&nbsp;set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its&nbsp;signature, issuer, or audience. An attacker can generate a JWT&nbsp;token from any issuer with the `preferred_username` set to any user, and the broker will accept it.</div><div>We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.</div><br>"}], "value": "A possible security vulnerability has been identified in Apache Kafka.\n\nBy default, the broker property `sasl.oauthbearer.jwt.validator.class` is\u00a0set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its\u00a0signature, issuer, or audience. An attacker can generate a JWT\u00a0token from any issuer with the `preferred_username` set to any user, and the broker will accept it.\n\nWe advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1285", "description": "CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-20T13:28:43.669Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://kafka.apache.org/cve-list"}, {"tags": ["mailing-list"], "url": "https://lists.apache.org/thread/v57o00hm6yszdpdnvqx2ss4561yh953h"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/17/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-20T13:38:51.117Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:29:31.424817Z", "id": "CVE-2026-33557", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:30:30.936Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/17/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-20T13:38:51.117Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-33557", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T14:29:31.424817Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:28:04.017Z"}}], "cna": {"title": "Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "\u041f\u0430\u0432\u0435\u043b \u0420\u043e\u043c\u0430\u043d\u043e\u0432 <promanov1994@gmail.com>"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Kafka", "versions": [{"status": "affected", "version": "4.1.0", "versionType": "semver", "lessThanOrEqual": "4.1.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://kafka.apache.org/cve-list", "tags": ["vendor-advisory"]}, {"url": "https://lists.apache.org/thread/v57o00hm6yszdpdnvqx2ss4561yh953h", "tags": ["mailing-list"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A possible security vulnerability has been identified in Apache Kafka.\n\nBy default, the broker property `sasl.oauthbearer.jwt.validator.class` is\u00a0set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its\u00a0signature, issuer, or audience. An attacker can generate a JWT\u00a0token from any issuer with the `preferred_username` set to any user, and the broker will accept it.\n\nWe advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.", "supportingMedia": [{"type": "text/html", "value": "<div>A possible security vulnerability has been identified in Apache Kafka.</div><div>By default, the broker property `sasl.oauthbearer.jwt.validator.class` is&nbsp;set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its&nbsp;signature, issuer, or audience. An attacker can generate a JWT&nbsp;token from any issuer with the `preferred_username` set to any user, and the broker will accept it.</div><div>We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.</div><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1285", "description": "CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-20T13:28:43.669Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33557", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:30:30.936Z", "dateReserved": "2026-03-23T03:14:53.527Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-20T13:28:43.669Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A possible security vulnerability has been identified in Apache Kafka.\n\nBy default, the broker property `sasl.oauthbearer.jwt.validator.class` is\u00a0set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its\u00a0signature, issuer, or audience. An attacker can generate a JWT\u00a0token from any issuer with the `preferred_username` set to any user, and the broker will accept it.\n\nWe advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token."}], "id": "CVE-2026-33557", "lastModified": "2026-04-20T19:05:30.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-20T14:16:18.780", "references": [{"source": "security@apache.org", "url": "https://kafka.apache.org/cve-list"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread/v57o00hm6yszdpdnvqx2ss4561yh953h"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/17/2"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1285"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.1.0,4.1.1]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache Kafka", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "kafka", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-20T16:30:39.311461+00:00", "value": {"mitigation_remediation": ["Set sasl.oauthbearer.jwt.validator.class to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator in broker configuration.", "Upgrade to Kafka 4.1.2, 4.2.0 or later where the default validator has been fixed.", "Restart Kafka broker services so that the configuration change takes effect."], "summary": {"action": "Update config", "impact": "Unauthorized Access via JWT Forgery"}, "threat_synthesis": {"affected_systems": "Apache Software Foundation's Apache Kafka versions 4.1.0 and 4.1.1 are affected when the broker property sasl.oauthbearer.jwt.validator.class is set to its default value. The issue is resolved in Kafka 4.1.2 and later, including 4.2.0 and newer releases.", "description_and_impact": "The vulnerability is caused by the default JWT validator in Kafka brokers, which accepts any JWT token without verifying its signature, issuer, or audience. Because of this missing validation, an attacker can produce a forged token containing any desired username, and the broker will treat the token as legitimate. This flaw, a CWE-1285 Missing Credentials Validation weakness, can lead to unauthorized access to Kafka resources and impersonation of legitimate users.", "risk_and_exploitability": "The CVSS score is 9.1, and the EPSS score is unavailable, but the vulnerability is active for all brokers running the vulnerable default configuration. An attacker who can connect to the broker using the OAUTHBEARER mechanism can simply send a malicious JWT to gain full access. The vulnerability does not require local privileges and can be triggered over the network, making it a high\u2011risk security concern. It is not listed in the CISA KEV catalog."}}}}, "created": "2026-04-20T16:00:10.644568+00:00", "updated": "2026-04-20T16:45:11.942622+00:00", "vendors": ["apache", "apache$PRODUCT$kafka"]}