CVE-2026-33557
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk43th percentile — higher than 43% of all known CVEs
Summary
In Apache Kafka, the default JWT validator class (`DefaultJwtValidator`) accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a token from any issuer with any username, and the broker will accept it.
Risk Assessment
The risk is impersonation of any user without knowledge of signing keys, potentially leading to unauthorized access to the Kafka cluster and compromise of data confidentiality and integrity.
Recommendation
Explicitly set the broker property `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` in versions 4.1.0 and 4.1.1, and upgrade to versions 4.1.2+ or 4.2.0+ where the issue is fixed.
Original NVD description (English source)
A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the `preferred_username` set to any user, and the broker will accept it. We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.

