CVE-2026-27133
Received Received - Intake
Certificate Validation Bypass in Strimzi Kafka Connect and MirrorMaker

Publication date: 2026-02-20

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 to before 0.50.1, when a chain consisting of multiple CA (Certificate Authority) certificates is used in the trusted certificates configuration of a Kafka Connect operand or of the target cluster in the Kafka MirrorMaker 2 operand, all of the certificates that are part of the CA chain will be trusted individually when connecting to the Apache Kafka cluster. Due to this error, the affected operand (Kafka Connect or Kafka MirrorMaker 2) might accept connections to Kafka brokers using server certificates signed by one of the other CAs in the CA chain and not just by the last CA in the chain. This issue is fixed in Strimzi 0.50.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27133
EUVD
EUVD-2026-7764
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation strimzi From 0.47.0 (inc) to 0.50.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
CWE-296 The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Strimzi versions from 0.47.0 to before 0.50.1, affecting Kafka Connect and Kafka MirrorMaker 2 components. When a chain of multiple Certificate Authority (CA) certificates is configured as trusted, the system incorrectly trusts each CA certificate in the chain individually rather than only the final CA in the chain. This means that connections to the Apache Kafka cluster might be accepted if the server certificate is signed by any CA in the chain, not just the intended one.

Impact Analysis

The vulnerability can lead to improper trust validation when connecting to Kafka brokers. An attacker with a certificate signed by any CA in the trusted chain (not necessarily the final CA) could potentially establish a connection to the Kafka cluster. This could allow unauthorized access or man-in-the-middle attacks, compromising confidentiality and integrity of the data transmitted.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Strimzi to version 0.50.1 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27133. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart