CVE-2026-57915
Deferred Deferred - Pending Action

Kerberos Pre-Authentication Bypass in Apache Kerby

Vulnerability report for CVE-2026-57915, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-07-15

Assigner: Apache Software Foundation

Description

It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended to upgrade to version 2.1.2, which fixes this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-07-15
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apache kerby 2.1.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-358 The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.
CWE-304 The product implements an authentication technique, but it skips a step that weakens the technique.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability allows an attacker to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type.

This means that the normal security step that verifies the identity of a user before granting access can be circumvented.

Users are advised to upgrade to Apache Kerby version 2.1.2, which contains a fix for this issue.

Impact Analysis

By bypassing the Kerberos pre-authentication check, an attacker could potentially gain unauthorized access to systems or services that rely on Apache Kerby for authentication.

This could lead to unauthorized access to sensitive information or resources, compromising the security of the affected environment.

Compliance Impact

The vulnerability in Apache Kerby allows bypassing the Kerberos pre-authentication check, which could lead to unauthorized access or reduced security of authentication mechanisms.

Such a security weakness may impact compliance with standards and regulations like GDPR and HIPAA, which require strong access controls and protection of sensitive data.

However, the provided information does not explicitly describe the direct effects on compliance with these regulations.

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache Kerby to version 2.1.2, which contains the fix for the Kerberos pre-authentication bypass issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57915. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart