Cyber Resilience

CVE-2026-25999

High

Published: 11 February 2026

Published
11 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0004 14.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25999 is a high-severity Improper Authorization (CWE-285) vulnerability in Aiven Klaw. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-25999 is an improper access control vulnerability (CWE-285) affecting Klaw, a self-service Apache Kafka Topic Management and Governance tool/portal, in versions prior to 2.10.2. The issue allows unauthorized users to trigger a reset or deletion of metadata for any tenant by sending a crafted request to the /resetMemoryCache endpoint. This results in the clearing of cached configurations, environments, and cluster data. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H), indicating high severity primarily due to availability impact.

An attacker with low privileges (PR:L) can exploit this over the network with low complexity and no user interaction required. By crafting and sending a request to the /resetMemoryCache endpoint, the attacker can clear cached data across tenants, leading to high availability disruption as services may need to reload configurations and potentially experience outages. The impact includes low integrity effects from metadata deletion or resets, but no confidentiality loss.

Mitigation is available in Klaw version 2.10.2, which addresses the improper access control. The GitHub security advisory (GHSA-rp26-qv9w-xr5q), release notes for v2.10.2, and the fixing commit (617ed96b1db111ed498d89132321bf39f486e3a1) provide details on the patch and upgrade instructions for administrators.

EU & UK References

Vulnerability details

Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to 2.10.2, there is an improper access control vulnerability that allows unauthorized users to trigger a reset or deletion of metadata for any tenant. By sending a crafted request to…

more

the /resetMemoryCache endpoint, an attacker can clear cached configurations, environments, and cluster data. This vulnerability is fixed in 2.10.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The improper access control flaw directly enables remote exploitation of the public-facing Klaw web portal (/resetMemoryCache) to trigger application-level denial of service via cache/metadata reset, matching T1190 (Exploit Public-Facing Application) for initial access and T1499.004 (Application or System Exploitation) for the resulting availability impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13646Shared CWE-285
CVE-2026-25809Shared CWE-285
CVE-2025-55282Same vendor: Aiven
CVE-2026-32252Shared CWE-285
CVE-2026-30702Shared CWE-285
CVE-2026-40246Shared CWE-285
CVE-2023-53895Shared CWE-285
CVE-2026-28448Shared CWE-285
CVE-2025-25196Shared CWE-285
CVE-2026-22022Shared CWE-285

Affected Assets

aiven
klaw
≤ 2.10.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on the /resetMemoryCache endpoint so that only permitted users can trigger tenant metadata resets or deletions.

prevent

Limits the operations low-privilege accounts (PR:L) are allowed to perform, preventing them from reaching the dangerous resetMemoryCache function.

prevent

Restricts which users or roles may perform configuration or metadata changes, blocking unauthorized cache-clearing actions against any tenant.

References