CVE-2025-61673 is a critical authentication bypass vulnerability affecting Karapace, an open-source implementation of Kafka REST and Schema Registry, specifically versions 5.0.0 and 5.0.1. Karapace is commonly used to provide RESTful access to Kafka schema registries, which are essential for managing schemas in distributed event streaming architectures. The vulnerability arises when Karapace is configured to use OAuth 2.0 Bearer Token authentication. Due to a flaw in the authentication logic, if an HTTP request is sent without an Authorization header, the token validation step is completely skipped. This means that unauthenticated users can access and interact with Schema Registry endpoints that should be protected, effectively bypassing OAuth authentication controls. The impact is severe because it allows unauthorized read and write operations on schema data, potentially leading to data integrity compromise, unauthorized schema changes, and exposure of sensitive schema information. This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The issue was fixed in Karapace version 5.0.2. The CVSS v3.1 base score is 8.6 (high severity), reflecting the network exploitable nature, no required privileges or user interaction, and significant impact on integrity and some impact on confidentiality and availability. No known exploits are reported in the wild as of publication, but the ease of exploitation and criticality of the affected functions make this a serious threat.

For European organizations, this vulnerability poses a significant risk, especially for those relying on Karapace for Kafka schema management in critical data pipelines. Unauthorized access to schema registries can lead to unauthorized schema modifications, which may cause downstream data processing failures, data corruption, or injection of malicious data formats. This can disrupt business operations, impact data integrity, and potentially lead to compliance violations under regulations such as GDPR if personal data schemas are manipulated or exposed. The ability to read schema data without authentication also risks exposure of sensitive metadata. Given that Kafka and its ecosystem are widely adopted in financial services, telecommunications, and manufacturing sectors across Europe, exploitation could impact critical infrastructure and services. The lack of authentication enforcement undermines trust in the security of event streaming architectures, potentially leading to broader systemic risks if attackers leverage this to pivot into other parts of the network.

European organizations using Karapace versions 5.0.0 or 5.0.1 should immediately upgrade to version 5.0.2 or later where the authentication bypass is fixed. Until upgrade is possible, organizations should implement compensating controls such as network-level access restrictions to limit access to Karapace endpoints only to trusted internal IP ranges or VPN users. Additionally, deploying Web Application Firewalls (WAFs) with rules to block requests missing Authorization headers can help mitigate unauthorized access attempts. Monitoring and logging all access to Schema Registry endpoints should be enhanced to detect anomalous or unauthorized activities promptly. Organizations should also review and tighten OAuth 2.0 configurations and consider multi-factor authentication for administrative access. Finally, conducting a thorough audit of schema changes and access logs post-incident is recommended to identify any unauthorized modifications.