Description
Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. In versions 0.49.0 through 0.50.0, when using a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs, Strimzi incorrectly configures the trusted certificates for mTLS authentication on the internal as well as user-configured listeners. All CAs from the CA chain will be trusted. And users with certificates signed by any of the CAs in the chain will be able to authenticate. This issue affects only users using a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs. It does not affect users using the Strimzi-managed Cluster and Clients CAs. It also does not affect users using custom Cluster or Clients CA with only a single CA (i.e., no CA chain with multiple CAs). This issue has been fixed in version 0.50.1. To workaround this issue, instead of providing the full CA chain as the custom CA, users can provide only the single CA that should be used.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass via MTLS
Action: Apply Patch
AI Analysis

Impact

In Strimzi Kafka operator versions 0.49.0 through 0.50.0, a custom multistage CA chain is incorrectly configured to trust every certificate authority in the chain for mutual TLS authentication. This permits any user certificate signed by any CA in the chain to authenticate successfully. The vulnerability results in unauthorized access to Kafka internals and user-configured listeners, effectively bypassing intended authentication controls.

Affected Systems

The affected product is Strimzi Kafka operator. Versions 0.49.0 through 0.50.0 that use a custom Cluster or Clients CA with a multistage CA chain are impacted. Single‑CA custom CAs or Strimzi‑managed CAs are not affected.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score is less than 1%, suggesting the likelihood of exploitation is currently low, but the vulnerability is not listed in the CISA KEV catalog. An attacker would need access to a client certificate signed by any CA in the custom chain, which is feasible if the CA hierarchy is exposed or misused. Trusted CAs are incorrectly accepted, making it possible to impersonate legitimate users without knowledge of the primary CA.

Generated by OpenCVE AI on April 17, 2026 at 17:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Strimzi Kafka operator to version 0.50.1 or later
  • If an upgrade is not immediately possible, configure the custom CA to use only a single CA instead of the full chain
  • Review and limit the set of trusted CAs for mTLS to the intended CA only and monitor for unexpected certificate usage

Generated by OpenCVE AI on April 17, 2026 at 17:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation strimzi Kafka Operator
CPEs cpe:2.3:a:linuxfoundation:strimzi_kafka_operator:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation strimzi Kafka Operator

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Strimzi
Strimzi kafka-operator
Vendors & Products Strimzi
Strimzi kafka-operator

Fri, 20 Feb 2026 23:30:00 +0000

Type Values Removed Values Added
Description Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. In versions 0.49.0 through 0.50.0, when using a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs, Strimzi incorrectly configures the trusted certificates for mTLS authentication on the internal as well as user-configured listeners. All CAs from the CA chain will be trusted. And users with certificates signed by any of the CAs in the chain will be able to authenticate. This issue affects only users using a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs. It does not affect users using the Strimzi-managed Cluster and Clients CAs. It also does not affect users using custom Cluster or Clients CA with only a single CA (i.e., no CA chain with multiple CAs). This issue has been fixed in version 0.50.1. To workaround this issue, instead of providing the full CA chain as the custom CA, users can provide only the single CA that should be used.
Title Strimzi: All CAs from a custom CA chain consisting of multiple CAs are trusted for mTLS user autentication
Weaknesses CWE-287
CWE-295
CWE-296
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Linuxfoundation Strimzi Kafka Operator
Strimzi Kafka-operator
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T21:32:00.282Z

Reserved: 2026-02-17T18:42:27.044Z

Link: CVE-2026-27134

cve-icon Vulnrichment

Updated: 2026-02-25T21:31:55.788Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-21T00:16:15.940

Modified: 2026-02-25T18:54:50.690

Link: CVE-2026-27134

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-20T23:05:04Z

Links: CVE-2026-27134 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:00:10Z

Weaknesses