CVE-2026-27133
Received Received - Intake
Certificate Validation Bypass in Strimzi Kafka Connect and MirrorMaker

Publication date: 2026-02-20

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 to before 0.50.1, when a chain consisting of multiple CA (Certificate Authority) certificates is used in the trusted certificates configuration of a Kafka Connect operand or of the target cluster in the Kafka MirrorMaker 2 operand, all of the certificates that are part of the CA chain will be trusted individually when connecting to the Apache Kafka cluster. Due to this error, the affected operand (Kafka Connect or Kafka MirrorMaker 2) might accept connections to Kafka brokers using server certificates signed by one of the other CAs in the CA chain and not just by the last CA in the chain. This issue is fixed in Strimzi 0.50.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-27
Generated
2026-05-07
AI Q&A
2026-02-21
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27133
EUVD
EUVD-2026-7764
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation strimzi From 0.47.0 (inc) to 0.50.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-296 The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Strimzi versions from 0.47.0 to before 0.50.1, affecting Kafka Connect and Kafka MirrorMaker 2 components. When a chain of multiple Certificate Authority (CA) certificates is configured as trusted, the system incorrectly trusts each CA certificate in the chain individually rather than only the final CA in the chain. This means that connections to the Apache Kafka cluster might be accepted if the server certificate is signed by any CA in the chain, not just the intended one.


How can this vulnerability impact me? :

The vulnerability can lead to improper trust validation when connecting to Kafka brokers. An attacker with a certificate signed by any CA in the trusted chain (not necessarily the final CA) could potentially establish a connection to the Kafka cluster. This could allow unauthorized access or man-in-the-middle attacks, compromising confidentiality and integrity of the data transmitted.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Strimzi to version 0.50.1 or later, where the issue has been fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart