CVE-2026-33557 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: April 20, 2026
Apache Kafka - Authentication Bypass
Overview
Apache Kafka < 4.1.2 and 4.2.0 contains an authentication bypass caused by default JWT validator accepting any token without signature, issuer, or audience validation, letting attackers authenticate as any user, exploit requires crafted JWT token.
Severity & Score
Impact
Attackers can authenticate as any user, potentially gaining unauthorized access to Kafka resources.
Mitigation
Set sasl.oauthbearer.jwt.validator.class to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator or upgrade to version 4.1.2, 4.2.0 or later.
References
Social Media Activity(2 posts)
š“ CVE-2026-33557 - Critical (9.1) A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token ... š https://www.thehackerwire.com/vulnerability/CVE-2026-33557/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-33557 - Critical (9.1) A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token ... š https://www.thehackerwire.com/vulnerability/CVE-2026-33557/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-33557
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- broken_authentication
- Status
- unconfirmed
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-1285
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N