CVE-2026-33557
Published: 20 April 2026
Summary
CVE-2026-33557 is a critical-severity Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) vulnerability in Apache Kafka. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2026-33557 is a high-severity vulnerability (CVSS 3.1 score of 9.1) in Apache Kafka, stemming from the default broker property `sasl.oauthbearer.jwt.validator.class` being set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. This validator accepts any JSON Web Token (JWT) without verifying its signature, issuer, or audience, allowing improper authentication. The issue affects Apache Kafka versions 4.1.0 and 4.1.1.
A remote attacker with network access to the Kafka broker can exploit this vulnerability without privileges or user interaction by generating a custom JWT token from any issuer, setting the `preferred_username` claim to impersonate any valid user. Successful exploitation enables high confidentiality and integrity impacts, such as unauthorized access to topics, data exfiltration, or message injection, corresponding to CWE-1285 (Improper Validation of Specified Index or Position).
Apache Kafka advisories recommend that users of versions 4.1.0 and 4.1.1 explicitly configure `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` as a mitigation. The vulnerability is fixed in Kafka 4.1.2, 4.2.0, and later releases, where JWT validation is properly enforced. Additional details are available in the official Kafka CVE list at https://kafka.apache.org/cve-list and related mailing list announcements.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23846
Vulnerability details
A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from…
more
any issuer with the `preferred_username` set to any user, and the broker will accept it. We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation of Kafka broker (T1210) via forged JWT for user impersonation (T1134.001) and general impersonation (T1656).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of system flaws like the improper JWT validation in Apache Kafka versions 4.1.0 and 4.1.1 by patching to fixed releases such as 4.1.2.
Mandates secure configuration settings for the `sasl.oauthbearer.jwt.validator.class` property to use `BrokerJwtValidator`, enforcing JWT signature, issuer, and audience validation to block forged tokens.
Ensures robust identification and authentication mechanisms that validate JWT tokens against impersonation via unverified signatures, issuers, or audiences in Kafka's SASL/OAuthBearer.