Description
kafka-sink-azure-kusto Kafka Connect plugin is the official Microsoft sink for Azure Data Explorer (Kusto). Prior to 5.2.3, kafka-sink-azure-kusto did not sanitize user-controlled values inside the kusto.tables.topics.mapping configuration. The db, table, mapping, and format fields of each mapping entry were interpolated directly into KQL management/query commands via String.formatted(...) (e.g., FETCH_TABLE_COMMAND.formatted(table) → "<table> | count", FETCH_TABLE_MAPPING_COMMAND.formatted(table, format, mapping) → ".show table <table> ingestion <format> mapping '<mapping>'"). An actor able to influence the connector configuration (for example, someone with permissions to submit or edit Kafka Connect connector configs) could embed KQL metacharacters (;, |, ') to execute arbitrary management commands in the context of the connector's service principal — enabling schema enumeration/modification, ingestion-mapping tampering, or changes to streaming/retention policies on the target Azure Data Explorer database. This is a tampering vulnerability. Exploitation requires privileged access to the connector configuration; no end-user interaction or Kafka record payload is involved. This vulnerability is fixed in 5.2.3.
Published: 2026-05-11
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to version 5.2.3, the Kafka Connect plugin for Azure Data Explorer did not sanitize user‑controlled configuration values in the kusto.tables.topics.mapping setting. The plugin used Java String.format to interpolate table, mapping and format fields directly into KQL management commands such as FETCH_TABLE_COMMAND and FETCH_TABLE_MAPPING_COMMAND. Because of this, an attacker who could influence the connector configuration could inject KQL metacharacters, causing arbitrary management commands to be executed in the context of the connector’s service principal. The attacker could enumerate and alter schemas, tamper with ingestion mappings, or modify streaming and retention policies, representing a tampering vulnerability.

Affected Systems

This issue affects Azure’s kafka‑sink‑azure‑kusto Kafka Connect sink plugin for Azure Data Explorer. All releases earlier than 5.2.3 are vulnerable. Versions 5.2.3 and later contain the fix that sanitizes configuration input.

Risk and Exploitability

The CVSS score is 5.9, indicating moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker with the ability to modify connector configuration; no external end‑user interaction or record payload is involved. The attack vector is therefore limited to privileged configuration changes within a Kafka Connect deployment.

Generated by OpenCVE AI on May 11, 2026 at 18:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade kafka‑sink‑azure‑kusto to v5.2.3 or newer to apply the input sanitization fix.
  • Restrict the permissions of users who can create or modify connector configurations to a least‑privilege role that does not include service principal access to Azure Data Explorer.
  • Activate monitoring or alerts for configuration changes that include suspicious KQL metacharacters, and audit historical changes for potential tampering.

Generated by OpenCVE AI on May 11, 2026 at 18:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Azure
Azure kafka-sink-azure-kusto
Vendors & Products Azure
Azure kafka-sink-azure-kusto

Mon, 11 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description kafka-sink-azure-kusto Kafka Connect plugin is the official Microsoft sink for Azure Data Explorer (Kusto). Prior to 5.2.3, kafka-sink-azure-kusto did not sanitize user-controlled values inside the kusto.tables.topics.mapping configuration. The db, table, mapping, and format fields of each mapping entry were interpolated directly into KQL management/query commands via String.formatted(...) (e.g., FETCH_TABLE_COMMAND.formatted(table) → "<table> | count", FETCH_TABLE_MAPPING_COMMAND.formatted(table, format, mapping) → ".show table <table> ingestion <format> mapping '<mapping>'"). An actor able to influence the connector configuration (for example, someone with permissions to submit or edit Kafka Connect connector configs) could embed KQL metacharacters (;, |, ') to execute arbitrary management commands in the context of the connector's service principal — enabling schema enumeration/modification, ingestion-mapping tampering, or changes to streaming/retention policies on the target Azure Data Explorer database. This is a tampering vulnerability. Exploitation requires privileged access to the connector configuration; no end-user interaction or Kafka record payload is involved. This vulnerability is fixed in 5.2.3.
Title KQL injection via kusto.tables.topics.mapping in kafka-sink-azure-kusto
Weaknesses CWE-943
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C'}

Subscriptions

Azure Kafka-sink-azure-kusto
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T17:27:23.704Z

Reserved: 2026-04-26T12:37:18.170Z

Link: CVE-2026-42316

cve-icon Vulnrichment

Updated: 2026-05-11T17:27:20.366Z

cve-icon NVD

Status : Received

Published: 2026-05-11T18:16:35.400

Modified: 2026-05-11T18:16:35.400

Link: CVE-2026-42316

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:52Z

Weaknesses