Cyber Resilience

CVE-2026-33557

CriticalUpdated

Published: 20 April 2026

Published
20 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0050 39.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33557 is a critical-severity Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) vulnerability in Apache Kafka. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2026-33557 is a high-severity vulnerability (CVSS 3.1 score of 9.1) in Apache Kafka, stemming from the default broker property `sasl.oauthbearer.jwt.validator.class` being set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. This validator accepts any JSON Web Token (JWT) without verifying its signature, issuer, or audience, allowing improper authentication. The issue affects Apache Kafka versions 4.1.0 and 4.1.1.

A remote attacker with network access to the Kafka broker can exploit this vulnerability without privileges or user interaction by generating a custom JWT token from any issuer, setting the `preferred_username` claim to impersonate any valid user. Successful exploitation enables high confidentiality and integrity impacts, such as unauthorized access to topics, data exfiltration, or message injection, corresponding to CWE-1285 (Improper Validation of Specified Index or Position).

Apache Kafka advisories recommend that users of versions 4.1.0 and 4.1.1 explicitly configure `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` as a mitigation. The vulnerability is fixed in Kafka 4.1.2, 4.2.0, and later releases, where JWT validation is properly enforced. Additional details are available in the official Kafka CVE list at https://kafka.apache.org/cve-list and related mailing list announcements.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from…

more

any issuer with the `preferred_username` set to any user, and the broker will accept it. We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1134.001 Token Impersonation/Theft Stealth
Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls.
T1684.001 Impersonation Stealth
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf.
Why these techniques?

Vulnerability enables remote exploitation of Kafka broker (T1210) via forged JWT for user impersonation (T1134.001) and general impersonation (T1656).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-26866Same vendor: Apache
CVE-2026-35337Same vendor: Apache
CVE-2026-40453Same vendor: Apache
CVE-2024-47552Same vendor: Apache
CVE-2026-27172Same vendor: Apache
CVE-2025-66524Same vendor: Apache
CVE-2026-40858Same vendor: Apache
CVE-2025-54920Same vendor: Apache
CVE-2016-15057Same vendor: Apache
CVE-2026-27314Same vendor: Apache

Affected Assets

apache
kafka
4.1.0 — 4.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of system flaws like the improper JWT validation in Apache Kafka versions 4.1.0 and 4.1.1 by patching to fixed releases such as 4.1.2.

prevent

Mandates secure configuration settings for the `sasl.oauthbearer.jwt.validator.class` property to use `BrokerJwtValidator`, enforcing JWT signature, issuer, and audience validation to block forged tokens.

prevent

Ensures robust identification and authentication mechanisms that validate JWT tokens against impersonation via unverified signatures, issuers, or audiences in Kafka's SASL/OAuthBearer.

References