Description
A possible security vulnerability has been identified in Apache Kafka.

By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the `preferred_username` set to any user, and the broker will accept it.

We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.
Published: 2026-04-20
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: Unauthorized Access via JWT Forgery
Action: Update config
AI Analysis

Impact

The vulnerability is caused by the default JWT validator in Kafka brokers, which accepts any JWT token without verifying its signature, issuer, or audience. Because of this missing validation, an attacker can produce a forged token containing any desired username, and the broker will treat the token as legitimate. This flaw, a CWE-1285 Missing Credentials Validation weakness, can lead to unauthorized access to Kafka resources and impersonation of legitimate users.

Affected Systems

Apache Software Foundation's Apache Kafka versions 4.1.0 and 4.1.1 are affected when the broker property sasl.oauthbearer.jwt.validator.class is set to its default value. The issue is resolved in Kafka 4.1.2 and later, including 4.2.0 and newer releases.

Risk and Exploitability

The CVSS score is 9.1, and the EPSS score is unavailable, but the vulnerability is active for all brokers running the vulnerable default configuration. An attacker who can connect to the broker using the OAUTHBEARER mechanism can simply send a malicious JWT to gain full access. The vulnerability does not require local privileges and can be triggered over the network, making it a high‑risk security concern. It is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 20, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Set sasl.oauthbearer.jwt.validator.class to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator in broker configuration.
  • Upgrade to Kafka 4.1.2, 4.2.0 or later where the default validator has been fixed.
  • Restart Kafka broker services so that the configuration change takes effect.

Generated by OpenCVE AI on April 20, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache kafka
Vendors & Products Apache
Apache kafka

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
References

Mon, 20 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Description A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the `preferred_username` set to any user, and the broker will accept it. We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.
Title Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication
Weaknesses CWE-1285
References

Subscriptions

Apache Kafka
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-20T14:30:30.936Z

Reserved: 2026-03-23T03:14:53.527Z

Link: CVE-2026-33557

cve-icon Vulnrichment

Updated: 2026-04-20T13:38:51.117Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T14:16:18.780

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-33557

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:45:11Z

Weaknesses