Bug 2459739 (CVE-2026-33557)

Summary: CVE-2026-33557 kafka: Apache Kafka: Authentication bypass via improper JWT validation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ant, aprice, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, bstansbe, caswilli, ccranfor, cescoffi, chfoley, cmah, dandread, dhanak, dkreling, dlofthou, drosa, dsimansk, ewittman, fmariani, fmongiar, gmalinko, gsmet, gtanzill, ibek, istudens, ivassile, iweiss, janstey, jbuscemi, jmartisk, jnethert, jpechane, jrokos, jsamir, kaycoth, kingland, kverlaen, lthon, manderse, mnovotny, mosmerov, mstipich, msvehla, nipatil, nwallace, oezr, olubyans, pantinor, pberan, pdelbell, pesilva, pgallagh, pjindal, pmackay, probinso, rexwhite, rgodfrey, rguimara, rkubis, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, smaestri, sthirugn, swoodman, tcunning, thjenkin, tqvarnst, vdosoudi, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Apache Kafka. By default, the `sasl.oauthbearer.jwt.validator.class` property is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`, which does not validate JSON Web Token (JWT) signatures, issuers, or audiences. A remote attacker can exploit this by crafting a malicious JWT token with an arbitrary `preferred_username`, leading to an authentication bypass and unauthorized access to the Kafka broker.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-20 14:01:31 UTC 
A possible security vulnerability has been identified in Apache Kafka.

By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the `preferred_username` set to any user, and the broker will accept it.

We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.