CVE-2026-45080
Deferred Deferred - Pending Action
Improper Access Control Disclosure of Password Hash in Klaw

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4, improper access control allows disclosure of password hash. This issue has been patched in version 2.10.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-45080
EUVD
EUVD-2026-33962
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
klaw klaw to 2.10.4 (exc)
aiven_open klaw to 2.10.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Klaw allows improper access control leading to the disclosure of password hashes. Such a disclosure could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive authentication credentials and personal data. However, the provided information does not explicitly describe the compliance impact or any regulatory implications.

Executive Summary

CVE-2026-45080 is an improper access control vulnerability in the Klaw software, a self-service Apache Kafka Topic Management tool. In versions 2.10.3 and earlier, this flaw allows unauthorized users to access and disclose password hashes due to insufficient access restrictions.

The vulnerability was fixed in version 2.10.4 by removing the vulnerable endpoint, which was unused in both backend and frontend.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of password hashes, potentially allowing attackers to attempt to crack passwords and gain unauthorized access to the system.

Since the vulnerability involves improper access control, it may expose sensitive authentication data, increasing the risk of compromise of user accounts or system components.

The severity of this issue is rated as moderate.

Detection Guidance

There are no specific detection commands or methods provided for identifying this vulnerability on your network or system.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Klaw to version 2.10.4 or later, where the vulnerable endpoint allowing disclosure of password hashes has been removed.

No workarounds are available, so applying the patch by upgrading is the recommended action.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45080. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart