CVE-2026-10143
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk39th percentile - higher than 39% of all known CVEs
Summary
The kafka-python library prior to version 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling. A malicious or man-in-the-middle broker can supply an excessively large iteration count, freezing the client event loop.
Risk Assessment
An attacker can halt producers, consumers, and admin operations, causing consumer group eviction and repeated reconnection failures. This disrupts applications relying on Kafka.
Recommendation
Immediately upgrade kafka-python to version 2.3.2 or later, which includes validation of the SCRAM iteration count.
Original NVD description (English source)
kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling that allows a malicious or machine-in-the-middle broker to freeze the client event loop by supplying an excessively large iteration count. In scram.py, ScramClient.process_server_first_message() passes the broker-controlled SCRAM iteration count directly to hashlib.pbkdf2_hmac() without validation, blocking producer sends, consumer polls, admin operations, and heartbeats, which can cause consumer group eviction and repeated reconnect failures.

