CVE Catalog

CVE-2026-10143

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.50%

39th percentile - higher than 39% of all known CVEs

Summary

The kafka-python library prior to version 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling. A malicious or man-in-the-middle broker can supply an excessively large iteration count, freezing the client event loop.

Risk Assessment

An attacker can halt producers, consumers, and admin operations, causing consumer group eviction and repeated reconnection failures. This disrupts applications relying on Kafka.

Recommendation

Immediately upgrade kafka-python to version 2.3.2 or later, which includes validation of the SCRAM iteration count.

Original NVD description (English source)

kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling that allows a malicious or machine-in-the-middle broker to freeze the client event loop by supplying an excessively large iteration count. In scram.py, ScramClient.process_server_first_message() passes the broker-controlled SCRAM iteration count directly to hashlib.pbkdf2_hmac() without validation, blocking producer sends, consumer polls, admin operations, and heartbeats, which can cause consumer group eviction and repeated reconnect failures.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS