CVE-2026-42316
Received Received - Intake
KQL Injection in kafka-sink-azure-kusto Plugin

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
kafka-sink-azure-kusto Kafka Connect plugin is the official Microsoft sink for Azure Data Explorer (Kusto). Prior to 5.2.3, kafka-sink-azure-kusto did not sanitize user-controlled values inside the kusto.tables.topics.mapping configuration. The db, table, mapping, and format fields of each mapping entry were interpolated directly into KQL management/query commands via String.formatted(...) (e.g., FETCH_TABLE_COMMAND.formatted(table) β†’ "<table> | count", FETCH_TABLE_MAPPING_COMMAND.formatted(table, format, mapping) β†’ ".show table <table> ingestion <format> mapping '<mapping>'"). An actor able to influence the connector configuration (for example, someone with permissions to submit or edit Kafka Connect connector configs) could embed KQL metacharacters (;, |, ') to execute arbitrary management commands in the context of the connector's service principal β€” enabling schema enumeration/modification, ingestion-mapping tampering, or changes to streaming/retention policies on the target Azure Data Explorer database. This is a tampering vulnerability. Exploitation requires privileged access to the connector configuration; no end-user interaction or Kafka record payload is involved. This vulnerability is fixed in 5.2.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-42316
EUVD
EUVD-2026-29124
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
microsoft kafka_sink_azure_kusto to 5.2.3 (exc)
microsoft kafka-sink-azure-kusto to 5.2.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

Detection of this vulnerability involves checking the configuration of the kafka-sink-azure-kusto connector, specifically the `kusto.tables.topics.mapping` settings.

Look for any user-controlled values in the `db`, `table`, `mapping`, and `format` fields that contain KQL metacharacters such as semicolons (;), pipes (|), or single quotes ('). These characters indicate potential injection attempts.

Since the vulnerability requires privileged access to the connector configuration, commands or scripts that audit or extract the connector configuration can be used to detect unsafe values.

For example, you can use Kafka Connect REST API commands to retrieve connector configurations and inspect the `kusto.tables.topics.mapping` field for suspicious characters.

  • Use curl or similar tools to get connector config: `curl -X GET http://<connect-host>:8083/connectors/<connector-name>/config`
  • Parse the output to check for presence of KQL metacharacters in the mapping fields.

No specific detection commands are provided in the resources, but focusing on configuration inspection for unsafe characters is the recommended approach.

Mitigation Strategies

The primary mitigation is to upgrade the kafka-sink-azure-kusto plugin to version 5.2.3 or later, which includes a security fix that introduces allowlist regex validations for the `db`, `table`, `mapping`, and `format` fields to prevent KQL injection.

If upgrading immediately is not possible, restrict access to the connector configuration to only trusted and privileged users to prevent unauthorized modification.

Validate and sanitize all input values in the `kusto.tables.topics.mapping` configuration manually, ensuring they do not contain KQL metacharacters such as semicolons (;), pipes (|), or single quotes (').

Scope the connector's service principal identity to the least privilege necessary to limit potential damage if exploitation occurs.

Treat the mapping configuration as trusted code and monitor for any unexpected changes.

Executive Summary

CVE-2026-42316 is a vulnerability in the kafka-sink-azure-kusto Kafka Connect plugin, which is used to connect Kafka with Azure Data Explorer (Kusto). Prior to version 5.2.3, the plugin did not properly sanitize user-controlled values in the kusto.tables.topics.mapping configuration. Specifically, fields such as db, table, mapping, and format were directly inserted into Kusto Query Language (KQL) commands without validation.

An attacker with permissions to modify the connector configuration could inject KQL metacharacters like semicolons, pipes, or single quotes to execute arbitrary management commands. This could allow them to enumerate or modify database schemas, tamper with ingestion mappings, or change streaming and retention policies on the Azure Data Explorer database. Exploitation requires privileged access to the connector configuration and does not involve end-user interaction or Kafka record payloads.

Impact Analysis

This vulnerability can lead to unauthorized execution of management commands in the Azure Data Explorer environment under the connector's service principal. Potential impacts include:

  • Schema enumeration and modification, allowing attackers to view or change database structures.
  • Tampering with ingestion mappings, which could disrupt or alter data ingestion processes.
  • Changes to streaming and retention policies, potentially affecting data availability and lifecycle.

Overall, the vulnerability compromises confidentiality and integrity of the data and configurations managed by the plugin, though it does not impact availability.

Compliance Impact

The vulnerability allows an attacker with privileged access to the connector configuration to execute arbitrary management commands on the Azure Data Explorer database, potentially leading to schema enumeration, modification, and ingestion-mapping tampering. This can compromise the confidentiality and integrity of data managed by the system.

Such unauthorized access and tampering could lead to violations of data protection standards and regulations like GDPR and HIPAA, which require strict controls over data integrity and confidentiality. If sensitive or personal data is exposed or altered due to exploitation of this vulnerability, it may result in non-compliance with these regulations.

Mitigations include restricting configuration access, validating input fields, and applying least privilege principles to the connector's identity, which are important controls to maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42316. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart