CVE-2026-33558— Apache Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log Output
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33558
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log Output
Source: NVD (National Vulnerability Database)
Vulnerability Description
Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are: * AlterConfigsRequest * AlterUserScramCredentialsRequest * ExpireDelegationTokenRequest * IncrementalAlterConfigsRequest * RenewDelegationTokenRequest * SaslAuthenticateRequest * createDelegationTokenResponse * describeDelegationTokenResponse * SaslAuthenticateResponse This issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. We advise the Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-533
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Kafka 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Kafka是美国阿帕奇(Apache)基金会的一套开源的分布式流媒体平台。该平台能够获取实时数据,用于构建对数据流的变化进行实时反应的应用程序。 Apache Kafka 3.9.1及之前版本和4.0.0及之前版本存在安全漏洞,该漏洞源于NetworkClient组件在DEBUG日志级别输出敏感请求和响应信息,可能导致信息泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache Kafka | 0.11.0 ~ 3.9.1 | - | |
| Apache Software Foundation | Apache Kafka Clients | 0.11.0 ~ 3.9.1 | - |
II. Public POCs for CVE-2026-33558
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33558
请登录查看更多情报信息。
Same Patch Batch · Apache Software Foundation · 2026-04-20 · 3 CVEs total
| CVE-2025-66335 | Apache Doris MCP Server: MCP SQL inject | |
| CVE-2026-33557 | Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication |
IV. Related Vulnerabilities
Same product: Apache Kafka
- CVE-2026-33557
Apache Kafka: Missing JWT token validation in OAUTHBEARER au - CVE-2025-27819
Apache Kafka: Possible RCE/Denial of service attack via SASL - CVE-2025-27818
Apache Kafka: Possible RCE attack via SASL JAAS LdapLoginMod - CVE-2024-56128
Apache Kafka: SCRAM authentication vulnerable to replay atta - CVE-2024-27309
Apache Kafka: Potential incorrect access control during migr
Same vendor: Apache Software Foundation
- CVE-2026-39816
Apache NiFi: Missing Execute Code Required Permission on Tin - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro - CVE-2026-25077
Apache CloudStack: Unauthenticated Command Injection in Dire - CVE-2025-69233
Apache CloudStack: Domain/account resources limits not honor - CVE-2025-66467
Apache CloudStack: MinIO policy remains intact on bucket del
V. Comments for CVE-2026-33558
No comments yet