CVE-2026-33557
JWT Validation Bypass in Apache Kafka Allows Unauthorized Access
Publication date: 2026-04-20
Last updated on: 2026-04-22
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | kafka | From 4.1.0 (inc) to 4.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1285 | The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Apache Kafka versions 4.1.0 and 4.1.1 in the OAUTHBEARER authentication mechanism.
By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`, which does not validate the JWT token's signature, issuer, or audience.
As a result, an attacker can create a JWT token from any issuer with any chosen `preferred_username`, and the Kafka broker will accept it without proper validation.
This means the broker trusts tokens that should normally be rejected, allowing unauthorized access.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to impersonate any user by generating a forged JWT token with a chosen username.
Since the broker does not validate the token's signature, issuer, or audience, unauthorized users can gain access to Kafka resources and perform actions as if they were legitimate users.
This can lead to unauthorized data access, data manipulation, or disruption of Kafka services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Kafka broker accepting any JWT token without validating its signature, issuer, or audience. Detection would involve checking the Kafka broker configuration for the property `sasl.oauthbearer.jwt.validator.class`.
Specifically, if the property is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator` or is unset (default), the system is vulnerable.
Commands to detect this could include inspecting the Kafka broker configuration files or querying the broker configuration via Kafka's command-line tools.
- Check the broker configuration file (e.g., server.properties) for the line: `sasl.oauthbearer.jwt.validator.class`
- Use Kafka's command line tool to describe broker configs, for example: `kafka-configs.sh --bootstrap-server <broker>:9092 --entity-type brokers --entity-name <broker-id> --describe` and look for the `sasl.oauthbearer.jwt.validator.class` setting.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability in Apache Kafka versions 4.1.0 and 4.1.1, explicitly set the broker configuration property `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator`.
Alternatively, upgrade Kafka to version 4.1.2, 4.2.0, or later, where the issue is fixed and JWT tokens are properly validated.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Apache Kafka allows acceptance of JWT tokens without validating their signature, issuer, or audience, which can lead to unauthorized access by attackers impersonating any user.
Such unauthorized access can potentially lead to breaches of sensitive data or improper handling of personal information, which may impact compliance with standards and regulations like GDPR and HIPAA that require strict access controls and data protection.
Mitigating this vulnerability by configuring Kafka to properly validate JWT tokens or upgrading to fixed versions is essential to maintain compliance with these regulations.