CVE-2026-33557
Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication
In short
Apache Kafka's default OAuth authentication doesn't verify JWT tokens properly, allowing attackers to forge tokens and gain unauthorized access to the broker with any username they choose.
Technical detail
The DefaultJwtValidator in Apache Kafka's OAUTHBEARER mechanism fails to validate JWT signatures, issuer claims, and audience restrictions. An unauthenticated attacker can craft arbitrary JWT tokens with spoofed identities and authenticate as any user without cryptographic verification. This bypasses access controls in affected versions (4.1.0, 4.1.1).
Summary generated and translated by AI from the official description.
A possible security vulnerability has been identified in Apache Kafka.
By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the `preferred_username` set to any user, and the broker will accept it.
We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected products
Apache Software Foundation · Apache KafkaWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →