Description
Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4, improper access control allows disclosure of password hash. This issue has been patched in version 2.10.4.
Published: 2026-06-02
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Klaw lacks sufficient access control over the endpoint that exposes user password hashes. This flaw permits an attacker to retrieve those hashes, which can then be cracked with off‑the‑shelf hashing tools, enabling credential reuse or privilege escalation. The weakness directly undermines confidentiality and is formally identified as CWE‑200 (Information Exposure) and CWE‑284 (Improper Access Control).

Affected Systems

The vulnerability affects the Aiven‑Open:klaw product. Any installation running a version earlier than 2.10.4 is susceptible; version 2.10.4 and later contain the corrective code.

Risk and Exploitability

The CVSS score of 6.9 reflects medium to high risk. EPSS data is not available, so the current exploitation probability cannot be quantified, and the vulnerability is not listed in CISA’s KEV catalog. Attack is likely carried out remotely via the web interface, targeting the exposed password‑hash endpoint. If the system is running in a shared or containerized environment, a local attacker that can reach the network may also exploit this flaw by sending an unauthenticated request to the vulnerable endpoint.

Generated by OpenCVE AI on June 2, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Klaw to version 2.10.4 or later to obtain the patch that removes the exposed password‑hash endpoint.
  • Configure role‑based access control to ensure that the endpoint is only reachable by accounts with explicit permission to view sensitive data.
  • Review and tighten user permissions so that only administrators or roles with a legitimate business need can access protected resources.

Generated by OpenCVE AI on June 2, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Aiven-open
Aiven-open klaw
Vendors & Products Aiven-open
Aiven-open klaw

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4, improper access control allows disclosure of password hash. This issue has been patched in version 2.10.4.
Title Klaw: Improper Access Control Allows Disclosure of Password Hash
Weaknesses CWE-200
CWE-284
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Aiven-open Klaw
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T16:41:52.955Z

Reserved: 2026-05-08T18:45:10.097Z

Link: CVE-2026-45080

cve-icon Vulnrichment

Updated: 2026-06-02T16:39:50.735Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T16:16:41.390

Modified: 2026-06-02T17:15:44.040

Link: CVE-2026-45080

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T17:00:14Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-284

    Improper Access Control