Description
It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended to upgrade to version 2.1.2, which fixes this issue.
Published: 2026-06-26
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can defeat the Kerberos pre‑authentication verification by sending a PA‑DATA message that contains an unrecognized or unsupported type. Because the check is bypassed, the server accepts the request and issues a ticket, effectively granting the attacker unauthorized Kerberos credentials. The weakness is a flaw in cryptographic input validation, categorized as CWE‑304 and CWE‑358, and can compromise both confidentiality and integrity of the authentication process.

Affected Systems

The affected software is Apache Kerby, deployed by the Apache Software Foundation. Versions before 2.1.2 are vulnerable; users should upgrade to version 2.1.2 or later to obtain the fix.

Risk and Exploitability

No EPSS score is available, and the vulnerability is not listed in CISA KEV, indicating no known production exploitation yet. Nevertheless, the CVSS rating of 7.3, which is considered high, indicates that an attacker who can send arbitrary PA‑DATA can obtain Kerberos tickets without authenticating. The attack requires network access to the Kerberos service and sending a crafted PA‑DATA message; because unsupported types are ignored, the exploit is straightforward and does not rely on complex social engineering.

Generated by OpenCVE AI on June 27, 2026 at 02:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Kerby to version 2.1.2 or later.
  • Restart the Kerberos service to load the updated binaries.
  • Monitor Kerberos logs for anomalous PA‑DATA requests and investigate any incidents of unexpected ticket issuance.

Generated by OpenCVE AI on June 27, 2026 at 02:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-358
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 26 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache kerby
Vendors & Products Apache
Apache kerby

Fri, 26 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended to upgrade to version 2.1.2, which fixes this issue.
Title Apache Kerby: Kerberos Pre-Authentication Bypass
Weaknesses CWE-304
References

Subscriptions

Apache Kerby
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-26T18:36:17.839Z

Reserved: 2026-06-26T10:43:45.288Z

Link: CVE-2026-57915

cve-icon Vulnrichment

Updated: 2026-06-26T18:36:17.839Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-26T12:09:54Z

Links: CVE-2026-57915 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T02:15:10Z

Weaknesses
  • CWE-304

    Missing Critical Step in Authentication

  • CWE-358

    Improperly Implemented Security Check for Standard