Description
Information exposure vulnerability has been identified in Apache Kafka.

The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are:


* AlterConfigsRequest

* AlterUserScramCredentialsRequest

* ExpireDelegationTokenRequest

* IncrementalAlterConfigsRequest

* RenewDelegationTokenRequest

* SaslAuthenticateRequest

* createDelegationTokenResponse

* describeDelegationTokenResponse

* SaslAuthenticateResponse


This issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. We advise the Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.
Published: 2026-04-20
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Sensitive Information Exposure via Log Files
Action: Patch
AI Analysis

Impact

The NetworkClient component in Apache Kafka and its client library logs complete request and response bodies when the DEBUG log level is enabled. Because DEBUG is not the default level, a user who enables debugging can inadvertently expose highly sensitive data such as credentials, tokens, or configuration changes to anyone with access to the log files. This flaw is documented as a CWE‑533 Information Exposure flaw and does not involve code execution or denial of service. The vulnerability would allow an attacker to read private data only if they can access the logs or influence the logging configuration.

Affected Systems

Apache Kafka and Apache Kafka Clients from any supported version through v3.9.1 and v4.0.0 are affected. The upgrade advisories recommend moving to v3.9.2 or v4.0.1 and newer releases.

Risk and Exploitability

The exploitability of this issue requires the attacker to enable the DEBUG log level or otherwise modify the Kafka logging configuration. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. While the CVSS score is 5.3, the risk is primarily the accidental disclosure of sensitive data rather than direct exploitation of the system. The potential impact is limited to confidentiality of information exposed in logs when DEBUG is enabled.

Generated by OpenCVE AI on April 20, 2026 at 16:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Kafka and Apache Kafka Clients to v3.9.2, v4.0.1, or later versions to eliminate the debug logging of request and response data.
  • Ensure the log level is set to INFO or higher (DEBUG disabled) in all production environments to prevent sensitive data from being logged.
  • Review existing production log files for evidence of sensitive data that may have been exposed during periods when DEBUG was enabled, and take appropriate data handling actions.

Generated by OpenCVE AI on April 20, 2026 at 16:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
References

Mon, 20 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Description Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are: * AlterConfigsRequest * AlterUserScramCredentialsRequest * ExpireDelegationTokenRequest * IncrementalAlterConfigsRequest * RenewDelegationTokenRequest * SaslAuthenticateRequest * createDelegationTokenResponse * describeDelegationTokenResponse * SaslAuthenticateResponse This issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. We advise the Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.
Title Apache Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log Output
Weaknesses CWE-533
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-20T14:20:41.640Z

Reserved: 2026-03-23T03:46:25.070Z

Link: CVE-2026-33558

cve-icon Vulnrichment

Updated: 2026-04-20T13:38:53.596Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T14:16:19.010

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-33558

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:45:11Z

Weaknesses