Security Vulnerability in Kafka by Apache
CVE-2026-33557

9.1CRITICAL

Key Information:

Vendor: Apache
Status: Apache Kafka
Vendor: CVE Published:; 20 April 2026

What is CVE-2026-33557?

A security vulnerability in Apache Kafka arises from the default configuration of the property sasl.oauthbearer.jwt.validator.class, which permits the acceptance of any JWT token without proper signature, issuer, or audience validation. This could allow an attacker to craft a JWT token with a preferred_username claim arbitrary user and be accepted by the broker. To mitigate the risk, users of Kafka versions 4.1.0 and 4.1.1 should change the setting to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator, which securely validates JWT tokens. Subsequent releases, starting from version 4.1.2, have rectified this issue by incorporating proper validation measures.

Affected Version(s)

Apache Kafka 4.1.0 <= 4.1.1

References

https://kafka.apache.org/cve-list

vendor-advisory

https://lists.apache.org/thread/v57o00hm6yszdpdnvqx2ss456...

mailing-list

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Mar 23, 2026

Credit

Павел Романов <promanov1994@gmail.com>

CVE-2026-33557 Data

JSON