CVE-2026-33557— Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33557
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication
Source: NVD (National Vulnerability Database)
Vulnerability Description
A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the `preferred_username` set to any user, and the broker will accept it. We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1285
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Kafka 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Kafka是美国阿帕奇(Apache)基金会的一套开源的分布式流媒体平台。该平台能够获取实时数据,用于构建对数据流的变化进行实时反应的应用程序。 Apache Kafka 4.1.0版本和4.1.1版本存在安全漏洞,该漏洞源于默认JWT验证器未验证令牌签名、颁发者或受众,可能导致身份验证绕过。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache Kafka | 4.1.0 ~ 4.1.1 | - |
II. Public POCs for CVE-2026-33557
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33557
请登录查看更多情报信息。
Same Patch Batch · Apache Software Foundation · 2026-04-20 · 3 CVEs total
| CVE-2026-33558 | Apache Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log Output | |
| CVE-2025-66335 | Apache Doris MCP Server: MCP SQL inject |
IV. Related Vulnerabilities
Same product: Apache Kafka
- CVE-2026-33558
Apache Kafka, Apache Kafka Clients: Information Exposure Thr - CVE-2025-27819
Apache Kafka: Possible RCE/Denial of service attack via SASL - CVE-2025-27818
Apache Kafka: Possible RCE attack via SASL JAAS LdapLoginMod - CVE-2024-56128
Apache Kafka: SCRAM authentication vulnerable to replay atta - CVE-2024-27309
Apache Kafka: Potential incorrect access control during migr
Same vendor: Apache Software Foundation
- CVE-2026-39816
Apache NiFi: Missing Execute Code Required Permission on Tin - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro - CVE-2026-25077
Apache CloudStack: Unauthenticated Command Injection in Dire - CVE-2025-69233
Apache CloudStack: Domain/account resources limits not honor - CVE-2025-66467
Apache CloudStack: MinIO policy remains intact on bucket del
Same weakness: CWE-1285
- CVE-2018-25232
Softros LAN Messenger 9.2 Denial of Service via Log Files Lo - CVE-2019-25625
Blob Studio 2.17 Denial of Service via Malformed Input - CVE-2019-25622
Paint Studio 2.17 Denial of Service via Malformed Input - CVE-2019-25593
jetCast Server 2.0 Denial of Service via Log Directory - CVE-2025-2399
Denial of Service (DoS) Vulnerability in Mitsubishi Electric
V. Comments for CVE-2026-33557
No comments yet