Description
Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to 2.10.2, there is an improper access control vulnerability that allows unauthorized users to trigger a reset or deletion of metadata for any tenant. By sending a crafted request to the /resetMemoryCache endpoint, an attacker can clear cached configurations, environments, and cluster data. This vulnerability is fixed in 2.10.2.
Published: 2026-02-11
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass permits arbitrary reset of tenant metadata
Action: Patch Now
AI Analysis

Impact

An improper authorization check on the /resetMemoryCache endpoint allows unauthenticated users to clear cached configurations, environments, and cluster data for any tenant. This can lead to loss of critical metadata, service disruption, and potential exposure of sensitive configuration details. The vulnerability is a remote flaw that could be exploited by sending a crafted request to the exposed API.

Affected Systems

The issue affects all instances of Aiven‑Open Klaw older than version 2.10.2. Version 2.10.2 and later contain the fix, so any deployment running 2.10.1 or earlier is considered vulnerable.

Risk and Exploitability

With a CVSS score of 7.1 and an EPSS of less than 1 %, the technical severity is moderate while the likelihood of exploitation is considered low. The vulnerability is not listed in the CISA KEV catalog, indicating no known public exploitation. A malicious actor can trigger the reset simply by accessing the endpoint, so the attack vector is network‑based and does not require privileged credentials. The impact is the ability to disrupt tenant services and erase cached state without authorization.

Generated by OpenCVE AI on April 18, 2026 at 12:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Klaw to version 2.10.2 or later
  • Restrict access to the /resetMemoryCache endpoint with network controls such as a firewall or IP whitelisting
  • Enforce authentication and authorization on the /resetMemoryCache endpoint, ensuring only privileged users can trigger a reset

Generated by OpenCVE AI on April 18, 2026 at 12:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Aiven
Aiven klaw
CPEs cpe:2.3:a:aiven:klaw:*:*:*:*:*:*:*:*
Vendors & Products Aiven
Aiven klaw

Thu, 12 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Aiven-open
Aiven-open klaw
Vendors & Products Aiven-open
Aiven-open klaw

Wed, 11 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to 2.10.2, there is an improper access control vulnerability that allows unauthorized users to trigger a reset or deletion of metadata for any tenant. By sending a crafted request to the /resetMemoryCache endpoint, an attacker can clear cached configurations, environments, and cluster data. This vulnerability is fixed in 2.10.2.
Title Klaw has an improper authorisation check on /resetMemoryCache
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Aiven Klaw
Aiven-open Klaw
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-12T21:21:30.163Z

Reserved: 2026-02-09T17:41:55.859Z

Link: CVE-2026-25999

cve-icon Vulnrichment

Updated: 2026-02-12T21:21:27.263Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T21:16:20.963

Modified: 2026-02-26T23:25:10.173

Link: CVE-2026-25999

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:45:45Z

Weaknesses