CVE-2026-45080
Improper Access Control Disclosure of Password Hash in Klaw
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| klaw | klaw | to 2.10.4 (exc) |
| aiven_open | klaw | to 2.10.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Klaw allows improper access control leading to the disclosure of password hashes. Such a disclosure could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive authentication credentials and personal data. However, the provided information does not explicitly describe the compliance impact or any regulatory implications.
Can you explain this vulnerability to me?
CVE-2026-45080 is an improper access control vulnerability in the Klaw software, a self-service Apache Kafka Topic Management tool. In versions 2.10.3 and earlier, this flaw allows unauthorized users to access and disclose password hashes due to insufficient access restrictions.
The vulnerability was fixed in version 2.10.4 by removing the vulnerable endpoint, which was unused in both backend and frontend.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of password hashes, potentially allowing attackers to attempt to crack passwords and gain unauthorized access to the system.
Since the vulnerability involves improper access control, it may expose sensitive authentication data, increasing the risk of compromise of user accounts or system components.
The severity of this issue is rated as moderate.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or methods provided for identifying this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Klaw to version 2.10.4 or later, where the vulnerable endpoint allowing disclosure of password hashes has been removed.
No workarounds are available, so applying the patch by upgrading is the recommended action.