CVE-2026-33557
Published: 20 April 2026
Description
A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from…
more
any issuer with the `preferred_username` set to any user, and the broker will accept it. We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of system flaws like the improper JWT validation in Apache Kafka versions 4.1.0 and 4.1.1 by patching to fixed releases such as 4.1.2.
Mandates secure configuration settings for the `sasl.oauthbearer.jwt.validator.class` property to use `BrokerJwtValidator`, enforcing JWT signature, issuer, and audience validation to block forged tokens.
Ensures robust identification and authentication mechanisms that validate JWT tokens against impersonation via unverified signatures, issuers, or audiences in Kafka's SASL/OAuthBearer.
Security SummaryAI
CVE-2026-33557 is a high-severity vulnerability (CVSS 3.1 score of 9.1) in Apache Kafka, stemming from the default broker property `sasl.oauthbearer.jwt.validator.class` being set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. This validator accepts any JSON Web Token (JWT) without verifying its signature, issuer, or audience, allowing improper authentication. The issue affects Apache Kafka versions 4.1.0 and 4.1.1.
A remote attacker with network access to the Kafka broker can exploit this vulnerability without privileges or user interaction by generating a custom JWT token from any issuer, setting the `preferred_username` claim to impersonate any valid user. Successful exploitation enables high confidentiality and integrity impacts, such as unauthorized access to topics, data exfiltration, or message injection, corresponding to CWE-1285 (Improper Validation of Specified Index or Position).
Apache Kafka advisories recommend that users of versions 4.1.0 and 4.1.1 explicitly configure `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` as a mitigation. The vulnerability is fixed in Kafka 4.1.2, 4.2.0, and later releases, where JWT validation is properly enforced. Additional details are available in the official Kafka CVE list at https://kafka.apache.org/cve-list and related mailing list announcements.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation of Kafka broker (T1210) via forged JWT for user impersonation (T1134.001) and general impersonation (T1656).