(kafka-site) branch markdown updated: MINOR: Add CVE-2026-33557 and CVE-2026-33558 (#848)

Fri, 17 Apr 2026 04:50:34 -0700 

This is an automated email from the ASF dual-hosted git repository.

mimaison pushed a commit to branch markdown
in repository https://gitbox.apache.org/repos/asf/kafka-site.git


The following commit(s) were added to refs/heads/markdown by this push:
     new 35e1d6e8ef MINOR: Add CVE-2026-33557 and CVE-2026-33558 (#848)
35e1d6e8ef is described below

commit 35e1d6e8ef354635baa7d0ee40773ff6e733ae56
Author: Luke Chen <[email protected]>
AuthorDate: Fri Apr 17 20:50:04 2026 +0900

    MINOR: Add CVE-2026-33557 and CVE-2026-33558 (#848)
    
    
    Reviewers: Mickael Maison <[email protected]>
---
 content/en/community/cve-list.md | 114 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 114 insertions(+)

diff --git a/content/en/community/cve-list.md b/content/en/community/cve-list.md
index 1a6787ba1d..b5ba3fd017 100644
--- a/content/en/community/cve-list.md
+++ b/content/en/community/cve-list.md
@@ -30,6 +30,120 @@ This page lists all security vulnerabilities fixed in 
released versions of Apach
 
 This page does **not** list security advisories for dependencies of Kafka. If 
your security scanner warns that there is an advisory for a dependency of 
Kafka, please see [this 
documentation](https://security.apache.org/report-dependency/). You can find 
the current development versions of various dependencies 
[here](https://github.com/apache/kafka/blob/trunk/gradle/dependencies.gradle). 
You can find a list of advisories that have been confirmed not to apply to 
Kafka [here](https://github. [...]
 
+## [CVE-2026-33558](https://nvd.nist.gov/vuln/detail/CVE-2026-33558) Apache 
Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log 
Output {#CVE-2026-33558}
+
+The NetworkClient component will output entire requests and responses 
information in the DEBUG log level in the logs. By default, the log level is 
set to INFO level. 
+If the DEBUG level is enabled, the sensitive information will be exposed via 
the requests and responses output log. The entire lists of impacted requests 
and responses are:
+-  AlterConfigsRequest
+-  AlterUserScramCredentialsRequest
+-  ExpireDelegationTokenRequest
+-  IncrementalAlterConfigsRequest
+-  RenewDelegationTokenRequest
+-  SaslAuthenticateRequest
+-  createDelegationTokenResponse
+-  describeDelegationTokenResponse
+-  SaslAuthenticateResponse
+
+<table>
+<tr>
+<td>
+
+Versions affected
+</td>
+<td>
+
+Apache Kafka Clients 
([kafka-clients](https://mvnrepository.com/artifact/org.apache.kafka/kafka-clients))
 0.11.0 through 3.9.1, 4.0.0
+</td> </tr>
+<tr>
+<td>
+
+Fixed versions
+</td>
+<td>
+
+3.9.2, 4.0.1, 4.1.0
+</td> </tr>
+<tr>
+<td>
+
+Impact
+</td>
+<td>
+
+Sensitive information exposure through network client log output
+</td> </tr>
+<tr>
+<td>
+
+Advice
+</td>
+<td>
+
+Kafka users are advised to use INFO log level or higher for NetworkClient 
class or upgrade to 3.9.2, 4.0.1, 4.1.0, or later to address this vulnerability.
+</td> </tr>
+<tr>
+<td>
+
+Issue announced
+</td>
+<td>
+
+17 Apr 2026
+</td> </tr> </table>
+
+## [CVE-2026-33557](https://nvd.nist.gov/vuln/detail/CVE-2026-33557) Apache 
Kafka: Missing JWT token validation in OAUTHBEARER authentication 
{#CVE-2026-33557}
+
+When `sasl.enabled.mechanisms=OAUTHBEARER` is configured on the server side, 
by default the broker property `sasl.oauthbearer.jwt.validator.class` is set to 
`org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. 
+It accepts any JWT token without validating its signature, issuer, or 
audience. An attacker can generate a JWT token from any issuer with the 
`preferred_username` set to any user, and the broker will accept it.
+
+<table>
+<tr>
+<td>
+
+Versions affected
+</td>
+<td>
+
+4.1.0 - 4.1.1
+</td> </tr>
+<tr>
+<td>
+
+Fixed versions
+</td>
+<td>
+
+4.1.2, 4.2.0
+</td> </tr>
+<tr>
+<td>
+
+Impact
+</td>
+<td>
+
+An attacker can generate a JWT token from any issuer with the 
`preferred_username` set to any user, and the broker will accept it.
+
+</td> </tr>
+<tr>
+<td>
+
+Advice
+</td>
+<td>
+
+We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config 
`sasl.oauthbearer.jwt.validator.class` to 
`org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to 
avoid this vulnerability. Or upgrade to v4.1.2, v4.2.0 and later.
+</td> </tr>
+<tr>
+<td>
+
+Issue announced
+</td>
+<td>
+
+17 Apr 2026
+</td> </tr> </table>
+
 ## [CVE-2026-35554](https://nvd.nist.gov/vuln/detail/CVE-2026-35554) Apache 
Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool 
Race Condition {#CVE-2026-35554}
 
 A race condition in the Apache Kafka Java producer client's buffer pool 
management can cause messages to be silently delivered to incorrect topics.

Reply via email to