Apache Kafka Info Exposure via NetworkClient DEBUG Logs before 3.9.2/4.0.1
CVE-2026-33558 Published on April 20, 2026
Apache Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log Output
Information exposure vulnerability has been identified in Apache Kafka.
The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are:
* AlterConfigsRequest
* AlterUserScramCredentialsRequest
* ExpireDelegationTokenRequest
* IncrementalAlterConfigsRequest
* RenewDelegationTokenRequest
* SaslAuthenticateRequest
* createDelegationTokenResponse
* describeDelegationTokenResponse
* SaslAuthenticateResponse
This issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. We advise the Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.
Vulnerability Analysis
CVE-2026-33558 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
DEPRECATED: Information Exposure Through Server Log Files
This entry has been deprecated because its abstraction was too low-level. See CWE-532.
Products Associated with CVE-2026-33558
Want to know whenever a new CVE is published for Apache Kafka? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Kafka:- Version 0.11.0, <= 3.9.1 is affected.
- Version 4.0.0 is affected.
- Version 0.11.0, <= 3.9.1 is affected.
- Version 4.0.0 is affected.