Executive Summary

CVE-2026-33558 is an information exposure vulnerability in Apache Kafka and its clients. It occurs because the NetworkClient component outputs entire request and response data when the logging level is set to DEBUG. By default, the log level is INFO, so this sensitive information is not exposed unless DEBUG logging is enabled.

The vulnerability affects several specific API requests and responses, including AlterConfigsRequest, AlterUserScramCredentialsRequest, ExpireDelegationTokenRequest, IncrementalAlterConfigsRequest, RenewDelegationTokenRequest, SaslAuthenticateRequest, createDelegationTokenResponse, describeDelegationTokenResponse, and SaslAuthenticateResponse.

If DEBUG logging is enabled, sensitive information contained in these requests and responses can be exposed in the logs.

Useful 0 Not Useful 0

Impact Analysis

If DEBUG logging is enabled in Apache Kafka, sensitive information from certain requests and responses can be exposed in the logs. This can lead to unauthorized disclosure of sensitive data, potentially compromising security.

Such exposure could allow attackers or unauthorized users with access to the logs to obtain confidential information, which might include authentication credentials or configuration details.

To mitigate this risk, users should avoid enabling DEBUG logging in production environments or upgrade to Apache Kafka versions 3.9.2, 4.0.1, or later where this issue is fixed.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the Apache Kafka NetworkClient component is logging at the DEBUG level, which exposes entire requests and responses containing sensitive information.

To detect this on your system, you can inspect the Kafka log files for DEBUG level entries that include detailed request and response data, especially for the affected API calls such as AlterConfigsRequest, SaslAuthenticateRequest, and others.

Suggested commands include using grep or similar tools to search Kafka log files for DEBUG entries related to these requests. For example:

• grep -i 'DEBUG' /path/to/kafka/logs/server.log | grep -E 'AlterConfigsRequest|SaslAuthenticateRequest|ExpireDelegationTokenRequest'
• tail -f /path/to/kafka/logs/server.log | grep 'DEBUG'

If DEBUG logs contain full request and response data, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to ensure that the Kafka logging level is not set to DEBUG, as DEBUG logging exposes sensitive information in the logs.

Additionally, users should upgrade Apache Kafka to version 3.9.2, 4.0.1, or later, where this vulnerability has been fixed.

Until the upgrade can be performed, verify and configure the logging settings to use INFO or higher log levels to prevent sensitive data exposure.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability causes sensitive information to be exposed in logs when the DEBUG log level is enabled in Apache Kafka's NetworkClient component.

Exposure of sensitive information through logs can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require protection of personal and sensitive data from unauthorized access or disclosure.

Therefore, if DEBUG logging is enabled in affected versions, organizations using Apache Kafka may risk violating these standards due to unintended information exposure.

Upgrading to fixed versions (3.9.2, 4.0.1, or later) is advised to mitigate this risk and help maintain compliance.

Useful 0 Not Useful 0