Apache Kafka 4.1.0/4.1.1: JWT Validator accepts unsigned tokens
CVE-2026-33557 Published on April 20, 2026

Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication
A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the `preferred_username` set to any user, and the broker will accept it. We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-33557 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
LOW
Availability Impact:
LOW

Weakness Types

Improper Validation of Specified Index, Position, or Offset in Input

The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.

Incorrect Implementation of Authentication Algorithm

The requirements for the software dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. This incorrect implementation may allow authentication to be bypassed.


Products Associated with CVE-2026-33557

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-33557 are published in these products:

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Affected Versions

Apache Software Foundation Apache Kafka: Red Hat build of Debezium 3: Red Hat streams for Apache Kafka 3: Red Hat OpenShift Serverless: Red Hat build of Apache Camel 4 for Quarkus 3: Red Hat build of Apache Camel for Spring Boot 4: Red Hat build of Apicurio Registry 2: Red Hat build of Apicurio Registry 3: Red Hat build of Debezium 2: Red Hat build of Quarkus: Red Hat Data Grid 8: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat Fuse 7: Red Hat JBoss Enterprise Application Platform 7: Red Hat JBoss Enterprise Application Platform 8: Red Hat JBoss Enterprise Application Platform Expansion Pack: Red Hat Process Automation 7: Red Hat streams for Apache Kafka 2:

Exploit Probability

EPSS
0.50%
Percentile
38.78%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.