CVE-2026-27134

High

Published: 21 February 2026

Published

21 February 2026

Modified

25 February 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27134 is a high-severity Improper Authentication (CWE-287) vulnerability in Linuxfoundation Strimzi Kafka Operator. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-17 Public Key Infrastructure Certificates good match

prevent

Requires validation of public key certificates by constructing and verifying certification paths to accepted trust anchors, directly preventing improper trust of all CAs in multistage chains during mTLS authentication.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of flaws such as the Strimzi misconfiguration of trusted certificates for Kafka listeners.

IA-5 Authenticator Management partial match

prevent

Ensures proper management of authenticators including certificates to maintain sufficient strength and resist compromises from improper CA chain configurations.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

CVE enables network-based unauthorized mTLS client authentication to Kafka listeners via improper certificate chain validation (CWE-295/296), directly facilitating exploitation of the exposed service for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. In versions 0.49.0 through 0.50.0, when using a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs,…

Strimzi incorrectly configures the trusted certificates for mTLS authentication on the internal as well as user-configured listeners. All CAs from the CA chain will be trusted. And users with certificates signed by any of the CAs in the chain will be able to authenticate. This issue affects only users using a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs. It does not affect users using the Strimzi-managed Cluster and Clients CAs. It also does not affect users using custom Cluster or Clients CA with only a single CA (i.e., no CA chain with multiple CAs). This issue has been fixed in version 0.50.1. To workaround this issue, instead of providing the full CA chain as the custom CA, users can provide only the single CA that should be used.

Deeper analysisAI

CVE-2026-27134 is a vulnerability in Strimzi, an operator for running Apache Kafka clusters on Kubernetes or OpenShift. In versions 0.49.0 through 0.50.0, Strimzi incorrectly configures trusted certificates for mutual TLS (mTLS) authentication on internal and user-configured listeners when using a custom Cluster or Clients CA with a multistage certificate authority (CA) chain of multiple CAs. Instead of trusting only the intended root CA, all CAs in the chain are trusted, enabling authentication with certificates signed by any CA in the chain. This issue solely affects deployments with custom CAs featuring multistage chains and does not impact Strimzi-managed CAs or single-CA custom setups.

An attacker can exploit this vulnerability over the network with no privileges or user interaction required, though it demands high attack complexity due to the need for a valid certificate from any CA in the affected chain. Successful exploitation allows unauthorized mTLS authentication to Kafka listeners, potentially granting high confidentiality, integrity, and availability impacts (CVSS 8.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Associated weaknesses include CWE-287 (Improper Authentication), CWE-295 (Improper Certificate Validation), and CWE-296 (Improper Following of a Certificate's Chain of Trust).

The Strimzi security advisory (GHSA-2qwx-rq6j-8r6j) and release notes for version 0.50.1 confirm the fix, which properly restricts trusted CAs to the intended configuration. As a workaround, users should provide only the single desired CA certificate instead of the full multistage chain.

Details

CWE(s): CWE-287 CWE-295 CWE-296

Affected Products

linuxfoundation

strimzi kafka operator

0.49.0 — 0.50.1

CVEs Like This One

CVE-2026-27815Same vendor: Linuxfoundation

CVE-2026-24124Same vendor: Linuxfoundation

CVE-2026-33701Same vendor: Linuxfoundation

CVE-2025-68137Same vendor: Linuxfoundation

CVE-2026-35171Same vendor: Linuxfoundation

CVE-2026-22790Same vendor: Linuxfoundation

CVE-2026-33009Same vendor: Linuxfoundation

CVE-2026-27816Same vendor: Linuxfoundation

CVE-2026-25153Same vendor: Linuxfoundation

CVE-2026-29186Same vendor: Linuxfoundation

References

https://github.com/strimzi/strimzi-kafka-operator/releases/tag/0.50.1
Product, Release Notes · security-advisories@github.com
https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-2qwx-rq6j-8r6j
Vendor Advisory · security-advisories@github.com