Description

A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the `preferred_username` set to any user, and the broker will accept it. We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.

INFO

Published Date :

2026-04-20T13:28:43.669Z

Last Modified :

2026-04-20T14:30:30.936Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33557 vulnerability.

Vendors Products
Apache
  • Kafka
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33557.

URL Resource
http://www.openwall.com/lists/oss-security/2026/04/17/2 cve-icon
https://kafka.apache.org/cve-list cve-icon cve-icon
https://lists.apache.org/thread/v57o00hm6yszdpdnvqx2ss4561yh953h cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact