CVE-2026-10143
Received Received - Intake
Kafka-Python SCRAM Authentication DoS Vulnerability

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VulnCheck

Description
kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling that allows a malicious or machine-in-the-middle broker to freeze the client event loop by supplying an excessively large iteration count. In scram.py, ScramClient.process_server_first_message() passes the broker-controlled SCRAM iteration count directly to hashlib.pbkdf2_hmac() without validation, blocking producer sends, consumer polls, admin operations, and heartbeats, which can cause consumer group eviction and repeated reconnect failures.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-10143
EUVD
EUVD-2026-36128
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
databricks kafka-python to 2.3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in kafka-python versions prior to 2.3.2 within the SCRAM authentication handling process. A malicious or man-in-the-middle broker can exploit this by providing an excessively large iteration count during authentication. This iteration count is passed directly to the hashlib.pbkdf2_hmac() function without any validation, which causes the client event loop to freeze.

As a result, critical operations such as producer sends, consumer polls, admin operations, and heartbeats are blocked, potentially causing consumer group eviction and repeated reconnect failures.

Impact Analysis

This vulnerability can cause a denial-of-service condition by freezing the kafka-python client event loop. This means that important Kafka client operations like sending messages, polling for messages, administrative tasks, and maintaining heartbeats can be blocked.

The impact includes consumer group eviction and repeated reconnect failures, which can disrupt the normal functioning of Kafka clients and potentially lead to service outages or degraded performance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10143. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart