Description
Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 to before 0.50.1, when a chain consisting of multiple CA (Certificate Authority) certificates is used in the trusted certificates configuration of a Kafka Connect operand or of the target cluster in the Kafka MirrorMaker 2 operand, all of the certificates that are part of the CA chain will be trusted individually when connecting to the Apache Kafka cluster. Due to this error, the affected operand (Kafka Connect or Kafka MirrorMaker 2) might accept connections to Kafka brokers using server certificates signed by one of the other CAs in the CA chain and not just by the last CA in the chain. This issue is fixed in Strimzi 0.50.1.
Published: 2026-02-20
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Mis-trusted intermediate certificates enabling broker impersonation
Action: Patch
AI Analysis

Impact

The vulnerability in Strimzi Kafka Operator causes any certificate in a multi‑CA chain supplied to Kafka Connect or Kafka MirrorMaker 2 to be treated as a trust anchor. Consequently, a broker presenting a server certificate signed by any of the CAs in the chain—rather than only the final CA—will be accepted, potentially allowing unauthorized connections or man‑in‑the‑middle attacks. This flaw is related to improper verification of cryptographic signatures (CWE‑295) and improper trust validation (CWE‑296).

Affected Systems

Strimzi Kafka Operator versions 0.47.0 through 0.49.x are affected. The issue arises when these versions are deployed with a multi‑CA chain in the trusted certificates configuration for Kafka Connect or MirrorMaker 2. Upgrading to Strimzi 0.50.1 or later removes the flaw.

Risk and Exploitability

The CVSS score is 5.9, indicating moderate severity, and the EPSS score is below 1%, suggesting a low likelihood of exploitation. The vulnerability is not currently listed in CISA's KEV catalog. The likely attack vector involves an adversary controlling a Kafka broker and presenting a certificate signed by one of the unintended CAs; the affected Connect or MirrorMaker instance will accept the connection as valid, allowing potential impersonation or data leakage. While the attack requires network access to the Kafka Connect or MirrorMaker service, the low exploitation probability reduces immediate risk, but the impact of a successful compromise could be significant for confidentiality and integrity of the data stream.

Generated by OpenCVE AI on April 17, 2026 at 17:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Strimzi Kafka Operator to version 0.50.1 or newer, which implements the necessary certificate validation fix.
  • Re‑configure the trusted certificates for Kafka Connect and MirrorMaker 2 to include only the intended root CA and exclude any intermediate CAs from the chain.
  • Validate that all Kafka brokers use certificates signed only by the correct CA, ensuring that connectors do not accept certificates signed by any other CA in the chain.

Generated by OpenCVE AI on April 17, 2026 at 17:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation strimzi
CPEs cpe:2.3:a:linuxfoundation:strimzi_kafka_operator:*:*:*:*:*:*:*:* cpe:2.3:a:linuxfoundation:strimzi:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation strimzi Kafka Operator
Linuxfoundation strimzi

Thu, 26 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation strimzi Kafka Operator
CPEs cpe:2.3:a:linuxfoundation:strimzi_kafka_operator:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation strimzi Kafka Operator

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Strimzi
Strimzi kafka-operator
Vendors & Products Strimzi
Strimzi kafka-operator

Fri, 20 Feb 2026 22:45:00 +0000

Type Values Removed Values Added
Description Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 to before 0.50.1, when a chain consisting of multiple CA (Certificate Authority) certificates is used in the trusted certificates configuration of a Kafka Connect operand or of the target cluster in the Kafka MirrorMaker 2 operand, all of the certificates that are part of the CA chain will be trusted individually when connecting to the Apache Kafka cluster. Due to this error, the affected operand (Kafka Connect or Kafka MirrorMaker 2) might accept connections to Kafka brokers using server certificates signed by one of the other CAs in the CA chain and not just by the last CA in the chain. This issue is fixed in Strimzi 0.50.1.
Title Strimzi All CAs from CA chain will be trusted in Kafka Connect and Kafka MirrorMaker 2 target clusters
Weaknesses CWE-295
CWE-296
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Linuxfoundation Strimzi
Strimzi Kafka-operator
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T21:32:33.009Z

Reserved: 2026-02-17T18:42:27.044Z

Link: CVE-2026-27133

cve-icon Vulnrichment

Updated: 2026-02-25T21:32:29.628Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T23:16:02.933

Modified: 2026-02-27T21:48:29.913

Link: CVE-2026-27133

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-20T22:38:27Z

Links: CVE-2026-27133 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:15:23Z

Weaknesses