CVE-2026-41115 - Vulnerability Details

Description

An improper authorization vulnerability has been identified in Apache Kafka.

The implementation of the CONSUMER_GROUP_DESCRIBE (69) API validates the DESCRIBE operation on the GROUP resource instead of the READ operation that documented in the official kafka documentation and the KIP-848. This discrepancy can result in misconfigured Access Control Lists (ACLs) and unintended security postures, like granting READ permission to users who should not be able to join/sync groups, or allowing users without READ permission (but with DESCRIBE permission) to access sensitive group metadata.

The correct permission for CONSUMER_GROUP_DESCRIBE API is DESCRIBE GROUP so the current implementation is correct. However, the kafka documentation as well as the KIP-848 will be updated to reflect the correct permission. We advise the Kafka users to review existing group ACLs to ensure the principle of least privilege.

Published: 2026-06-02

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The CONSUMER_GROUP_DESCRIBE API in Apache Kafka incorrectly validates the DESCRIBE operation on the GROUP resource rather than the documented READ operation. This mismatch can grant users read permission to group metadata or allow users with DESCRIBE permission to access sensitive group information even if they lack READ rights. The flaw is an authorization bypass (CWE‑285) that could expose internal group details to unauthorized parties.

Affected Systems

All installations of Apache Kafka that expose the CONSUMER_GROUP_DESCRIBE API are vulnerable, regardless of version, because the issue lies in the API’s permission validation logic. No specific version range is provided, so administrators should evaluate all Kafka clusters that use this API.

Risk and Exploitability

The vulnerability is an authorization lapse; exploitation requires an authenticated Kafka client that can invoke the CONSUMER_GROUP_DESCRIBE request. Because no EPSS score is available and the issue is not listed in CISA's KEV catalog, the current exploitation likelihood appears low but still actionable. The vendor has noted that the API’s permission check is correct but documentation will be updated. Attackers could harvest group metadata, potentially revealing consumer group configurations and usage patterns.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Kafka

unaffected

Version	Status	Constraints
`4.0.0`	affected	≤ 4.3.0

No data.

Vendor Product Confidence Versions

Apache

Kafka

95%

Version	Status	Scheme	Platform
`[4.0.0,4.3.0]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Audit all consumer group ACLs to ensure that only intended principals have DESCRIBE rights
Remove or restrict DESCRIBE permissions on consumer groups for users that should not read group information
Monitor for changes to ACLs and validate that the principle of least privilege is maintained

Generated by OpenCVE AI on June 2, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://kafka.apache.org/cve-list

History

Tue, 02 Jun 2026 11:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache kafka
Vendors & Products		Apache Apache kafka

Tue, 02 Jun 2026 10:00:00 +0000

Type	Values Removed	Values Added
Description		An improper authorization vulnerability has been identified in Apache Kafka. The implementation of the CONSUMER_GROUP_DESCRIBE (69) API validates the DESCRIBE operation on the GROUP resource instead of the READ operation that documented in the official kafka documentation and the KIP-848. This discrepancy can result in misconfigured Access Control Lists (ACLs) and unintended security postures, like granting READ permission to users who should not be able to join/sync groups, or allowing users without READ permission (but with DESCRIBE permission) to access sensitive group metadata. The correct permission for CONSUMER_GROUP_DESCRIBE API is DESCRIBE GROUP so the current implementation is correct. However, the kafka documentation as well as the KIP-848 will be updated to reflect the correct permission. We advise the Kafka users to review existing group ACLs to ensure the principle of least privilege.
Title		Apache Kafka: Improper Authorization in CONSUMER_GROUP_DESCRIBE API
Weaknesses		CWE-285
References		https://kafka.apache.org/cve-list

Subscriptions

Apache Kafka

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-06-02T08:56:43.636Z

Updated: 2026-06-02T08:56:43.636Z

Reserved: 2026-04-17T03:09:02.257Z

Link: CVE-2026-41115

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-06-02T10:16:25.107

Modified: 2026-06-02T13:04:00.123

Link: CVE-2026-41115

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T11:30:07Z

Weaknesses

CWE-285

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object