CVE-2026-33557

Description

A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the `preferred_username` set to any user, and the broker will accept it. We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.

CVSS v3.1 Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS — Exploit Prediction

0.0020

Probability of exploitation

0.42%

Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-1285 CWE-1285

Affected Products

Vendor	Product	Versions
apache	kafka	4.1.0 — 4.1.2

References

Advisories & Patches

https://kafka.apache.org/cve-list https://lists.apache.org/thread/v57o00hm6yszdpdnvqx2ss4561yh953h

Other References

http://www.openwall.com/lists/oss-security/2026/04/17/2

Frequently Asked Questions

What is CVE-2026-33557? +

A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the `preferred_username` set to any user, and the broker will accept it. We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token. It has a CVSS v3.1 base score of 9.1 (CRITICAL).

How severe is CVE-2026-33557? +

CVE-2026-33557 has a CVSS v3.1 score of 9.1 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately. The EPSS score is 0.0020, placing it in the 0th percentile for exploitation probability.

What products are affected by CVE-2026-33557? +

CVE-2026-33557 affects products from apache, specifically: kafka. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2026-33557? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-55086 9.8

In NetXDuo version before 6.4.4, a networking support module for Eclipse Foundation ThreadX, in the DHCPV6 client there was an …

CVE-2025-3357 9.8

IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 19 could allow a remote attacker to execute arbitrary code due to …

CVE-2025-3755 9.1

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU modules …

CVE-2024-36342 8.8

Improper input validation in the GPU driver could allow an attacker to exploit a heap overflow potentially resulting in arbitrary …

CVE-2024-41928 8.4

Malicious software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in …

CVE-2025-7849 7.8

A memory corruption vulnerability due to improper error handling when a VILinkObj is null exists in NI LabVIEW that may …