Karapace is an open-source implementation of Kafka REST and Schema Registry, widely used for managing Kafka schemas. Versions 5.0.0 and 5.0.1 contain a critical authentication bypass vulnerability (CVE-2025-61673) categorized under CWE-306 (Missing Authentication for Critical Function) and CWE-288 (Authentication Bypass). When Karapace is configured to use OAuth 2.0 Bearer Token authentication, the token validation logic erroneously skips verification if the Authorization header is missing from the request. This logic flaw allows attackers to send requests without any authentication token and gain unauthorized read and write access to Schema Registry endpoints. Such access can lead to unauthorized schema modifications, data integrity violations, and potential disruption of Kafka-based data pipelines. The vulnerability has a CVSS 3.1 base score of 8.6, reflecting its high impact and ease of exploitation over the network without any privileges or user interaction. The issue was publicly disclosed on October 3, 2025, and fixed in Karapace version 5.0.2. No public exploits have been reported yet, but the vulnerability poses a significant risk to environments relying on OAuth for securing schema registry operations.

For European organizations, this vulnerability threatens the confidentiality, integrity, and availability of Kafka schema data managed by Karapace. Unauthorized access to schema registries can lead to data corruption, injection of malicious schema definitions, or disruption of data streaming services critical for business operations. Industries relying heavily on Kafka for real-time data processing, such as finance, telecommunications, and manufacturing, may face operational outages or compliance violations due to unauthorized schema changes. The lack of authentication enforcement could also expose sensitive metadata and intellectual property embedded in schemas. Given the network-exploitable nature and no requirement for user interaction or privileges, the risk of widespread exploitation in enterprise environments is significant if unpatched. The vulnerability undermines trust in OAuth-based security configurations, potentially affecting broader security postures.

European organizations using Karapace versions 5.0.0 or 5.0.1 should immediately upgrade to version 5.0.2 or later, where the authentication bypass flaw is fixed. Until upgrading, organizations should implement compensating controls such as restricting network access to Schema Registry endpoints via firewall rules or VPNs to trusted users only. Review and audit OAuth 2.0 configurations to ensure Authorization headers are strictly enforced and logged. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block requests missing Authorization headers targeting schema registry APIs. Conduct thorough penetration testing and vulnerability scanning focused on authentication mechanisms in Kafka-related infrastructure. Additionally, monitor logs for anomalous access patterns or unauthorized schema modifications. Finally, incorporate this vulnerability into incident response plans to quickly address any exploitation attempts.