Improper Access Control in Klaw Apache Kafka Tool
CVE-2026-25999

7.1HIGH

Key Information:

Vendor

Aiven-open

Status
Klaw
Vendor
CVE Published:
11 February 2026

What is CVE-2026-25999?

Klaw, a self-service governance tool for managing Apache Kafka topics, has a vulnerability that allows unauthorized users to send crafted requests to the /resetMemoryCache endpoint. This can lead to the unauthorized reset or deletion of critical metadata for any tenant, impacting cached configurations, environments, and cluster data. The issue has been addressed in version 2.10.2, which is recommended for all users to ensure system integrity.

Affected Version(s)

klaw < 2.10.2

References

https://github.com/Aiven-Open/klaw/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/Aiven-Open/klaw/commit/617ed96b1db111e...
x_refsource_MISC
https://github.com/Aiven-Open/klaw/releases/tag/v2.10.2
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.