CVE-2026-10143
Modified Modified - Updated After Analysis

Kafka-Python SCRAM Authentication DoS Vulnerability

Vulnerability report for CVE-2026-10143, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-30

Assigner: VulnCheck

Description

kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling that allows a malicious or machine-in-the-middle broker to freeze the client event loop by supplying an excessively large iteration count. In scram.py, ScramClient.process_server_first_message() passes the broker-controlled SCRAM iteration count directly to hashlib.pbkdf2_hmac() without validation, blocking producer sends, consumer polls, admin operations, and heartbeats, which can cause consumer group eviction and repeated reconnect failures.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
dpkp kafka-python to 2.3.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-606 The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-10143 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate this vulnerability, upgrade kafka-python to version 2.3.2 or later where the SCRAM authentication iteration count is properly validated.

Avoid using kafka-python versions prior to 2.3.2 to prevent denial-of-service caused by malicious or man-in-the-middle brokers supplying excessively large iteration counts.

Detection Guidance

This vulnerability causes the kafka-python client's event loop to freeze due to an excessively large SCRAM iteration count supplied by a malicious broker. Symptoms include blocked producer sends, consumer polls, admin operations, heartbeats, consumer group eviction, and repeated reconnect failures.

To detect this vulnerability on your system, monitor kafka-python client logs and network behavior for signs of freezing or blocking during SCRAM authentication, especially repeated reconnect attempts or consumer group evictions.

While no specific commands are provided in the resources, you can use general network and process monitoring tools such as:

  • Check kafka-python version to ensure it is 2.3.2 or later (e.g., `pip show kafka-python` or `pip list | grep kafka-python`).
  • Monitor client logs for authentication delays or failures related to SCRAM.
  • Use network packet capture tools (e.g., `tcpdump` or `wireshark`) to inspect SCRAM authentication messages and look for unusually large iteration counts.
  • Use process monitoring commands (e.g., `top`, `htop`, or `ps`) to detect if the kafka-python client process is stuck or consuming excessive CPU during authentication.
Executive Summary

The vulnerability exists in kafka-python versions prior to 2.3.2 within the SCRAM authentication handling process. A malicious or man-in-the-middle broker can exploit this by providing an excessively large iteration count during authentication. This iteration count is passed directly to the hashlib.pbkdf2_hmac() function without any validation, which causes the client event loop to freeze.

As a result, critical operations such as producer sends, consumer polls, admin operations, and heartbeats are blocked, potentially causing consumer group eviction and repeated reconnect failures.

Impact Analysis

This vulnerability can cause a denial-of-service condition by freezing the kafka-python client event loop. This means that important Kafka client operations like sending messages, polling for messages, administrative tasks, and maintaining heartbeats can be blocked.

The impact includes consumer group eviction and repeated reconnect failures, which can disrupt the normal functioning of Kafka clients and potentially lead to service outages or degraded performance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10143. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart