CVE-2026-33557
Received Received - Intake
JWT Validation Bypass in Apache Kafka Allows Unauthorized Access

Publication date: 2026-04-20

Last updated on: 2026-04-22

Assigner: Apache Software Foundation

Description
A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the `preferred_username` set to any user, and the broker will accept it. We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33557
EUVD
EUVD-2026-23846
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache kafka From 4.1.0 (inc) to 4.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1285 The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Apache Kafka versions 4.1.0 and 4.1.1 in the OAUTHBEARER authentication mechanism.

By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`, which does not validate the JWT token's signature, issuer, or audience.

As a result, an attacker can create a JWT token from any issuer with any chosen `preferred_username`, and the Kafka broker will accept it without proper validation.

This means the broker trusts tokens that should normally be rejected, allowing unauthorized access.

Impact Analysis

This vulnerability can allow an attacker to impersonate any user by generating a forged JWT token with a chosen username.

Since the broker does not validate the token's signature, issuer, or audience, unauthorized users can gain access to Kafka resources and perform actions as if they were legitimate users.

This can lead to unauthorized data access, data manipulation, or disruption of Kafka services.

Detection Guidance

This vulnerability involves the Kafka broker accepting any JWT token without validating its signature, issuer, or audience. Detection would involve checking the Kafka broker configuration for the property `sasl.oauthbearer.jwt.validator.class`.

Specifically, if the property is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator` or is unset (default), the system is vulnerable.

Commands to detect this could include inspecting the Kafka broker configuration files or querying the broker configuration via Kafka's command-line tools.

  • Check the broker configuration file (e.g., server.properties) for the line: `sasl.oauthbearer.jwt.validator.class`
  • Use Kafka's command line tool to describe broker configs, for example: `kafka-configs.sh --bootstrap-server <broker>:9092 --entity-type brokers --entity-name <broker-id> --describe` and look for the `sasl.oauthbearer.jwt.validator.class` setting.
Mitigation Strategies

To mitigate this vulnerability in Apache Kafka versions 4.1.0 and 4.1.1, explicitly set the broker configuration property `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator`.

Alternatively, upgrade Kafka to version 4.1.2, 4.2.0, or later, where the issue is fixed and JWT tokens are properly validated.

Compliance Impact

The vulnerability in Apache Kafka allows acceptance of JWT tokens without validating their signature, issuer, or audience, which can lead to unauthorized access by attackers impersonating any user.

Such unauthorized access can potentially lead to breaches of sensitive data or improper handling of personal information, which may impact compliance with standards and regulations like GDPR and HIPAA that require strict access controls and data protection.

Mitigating this vulnerability by configuring Kafka to properly validate JWT tokens or upgrading to fixed versions is essential to maintain compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33557. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart