CVE-2026-42316
KQL Injection in kafka-sink-azure-kusto Plugin
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | kafka_sink_azure_kusto | to 5.2.3 (exc) |
| microsoft | kafka-sink-azure-kusto | to 5.2.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-943 | The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42316 is a vulnerability in the kafka-sink-azure-kusto Kafka Connect plugin, which is used to connect Kafka with Azure Data Explorer (Kusto). Prior to version 5.2.3, the plugin did not properly sanitize user-controlled values in the kusto.tables.topics.mapping configuration. Specifically, fields such as db, table, mapping, and format were directly inserted into Kusto Query Language (KQL) commands without validation.
An attacker with permissions to modify the connector configuration could inject KQL metacharacters like semicolons, pipes, or single quotes to execute arbitrary management commands. This could allow them to enumerate or modify database schemas, tamper with ingestion mappings, or change streaming and retention policies on the Azure Data Explorer database. Exploitation requires privileged access to the connector configuration and does not involve end-user interaction or Kafka record payloads.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking the configuration of the kafka-sink-azure-kusto connector, specifically the `kusto.tables.topics.mapping` settings.
Look for any user-controlled values in the `db`, `table`, `mapping`, and `format` fields that contain KQL metacharacters such as semicolons (;), pipes (|), or single quotes ('). These characters indicate potential injection attempts.
Since the vulnerability requires privileged access to the connector configuration, commands or scripts that audit or extract the connector configuration can be used to detect unsafe values.
For example, you can use Kafka Connect REST API commands to retrieve connector configurations and inspect the `kusto.tables.topics.mapping` field for suspicious characters.
- Use curl or similar tools to get connector config: `curl -X GET http://<connect-host>:8083/connectors/<connector-name>/config`
- Parse the output to check for presence of KQL metacharacters in the mapping fields.
No specific detection commands are provided in the resources, but focusing on configuration inspection for unsafe characters is the recommended approach.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the kafka-sink-azure-kusto plugin to version 5.2.3 or later, which includes a security fix that introduces allowlist regex validations for the `db`, `table`, `mapping`, and `format` fields to prevent KQL injection.
If upgrading immediately is not possible, restrict access to the connector configuration to only trusted and privileged users to prevent unauthorized modification.
Validate and sanitize all input values in the `kusto.tables.topics.mapping` configuration manually, ensuring they do not contain KQL metacharacters such as semicolons (;), pipes (|), or single quotes (').
Scope the connector's service principal identity to the least privilege necessary to limit potential damage if exploitation occurs.
Treat the mapping configuration as trusted code and monitor for any unexpected changes.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized execution of management commands in the Azure Data Explorer environment under the connector's service principal. Potential impacts include:
- Schema enumeration and modification, allowing attackers to view or change database structures.
- Tampering with ingestion mappings, which could disrupt or alter data ingestion processes.
- Changes to streaming and retention policies, potentially affecting data availability and lifecycle.
Overall, the vulnerability compromises confidentiality and integrity of the data and configurations managed by the plugin, though it does not impact availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker with privileged access to the connector configuration to execute arbitrary management commands on the Azure Data Explorer database, potentially leading to schema enumeration, modification, and ingestion-mapping tampering. This can compromise the confidentiality and integrity of data managed by the system.
Such unauthorized access and tampering could lead to violations of data protection standards and regulations like GDPR and HIPAA, which require strict controls over data integrity and confidentiality. If sensitive or personal data is exposed or altered due to exploitation of this vulnerability, it may result in non-compliance with these regulations.
Mitigations include restricting configuration access, validating input fields, and applying least privilege principles to the connector's identity, which are important controls to maintain compliance.