CVE-2026-33557

EUVD-2026-23846

20.04.2026, 14:16

A possible security vulnerability has been identified in Apache Kafka.

By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the `preferred_username` set to any user, and the broker will accept it.

We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
apache	CNA	9.1 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
apache	kafka	4.1.0 ≤ 𝑥 ≤ 4.1.1	CNA

Common Weakness Enumeration

CWE-1285 - Improper Validation of Specified Index, Position, or Offset in Input
The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.

References

https://kafka.apache.org/cve-list

https://lists.apache.org/thread/v57o00hm6yszdpdnvqx2ss4561yh953h

http://www.openwall.com/lists/oss-security/2026/04/17/2