Strimzi is an open-source project that facilitates running Apache Kafka clusters on Kubernetes or OpenShift platforms. Between versions 0.47.0 and prior to 0.49.1, Strimzi's Kafka Operator incorrectly configures Kubernetes Role permissions for Kafka Connect and Kafka MirrorMaker 2 operands. Specifically, these operands are granted GET access to all Kubernetes Secrets within the namespace, which is broader than intended. Kubernetes Secrets often contain sensitive data such as credentials, tokens, and certificates. This misconfiguration violates the principle of least privilege and exposes sensitive information to unauthorized components or actors that control these operands. The vulnerability is tracked as CVE-2025-66623 with a CVSS v3.1 base score of 7.4, indicating high severity. The attack vector is adjacent network (AV:A), requiring no privileges (PR:N) or user interaction (UI:N), and impacts confidentiality with a scope change (S:C) because it can expose secrets beyond their intended boundaries. The flaw does not affect integrity or availability. No known exploits are reported in the wild as of publication. The issue is resolved in Strimzi version 0.49.1 by correcting the Kubernetes Role permissions to restrict GET access to only necessary secrets. Organizations deploying Kafka on Kubernetes or OpenShift using affected Strimzi versions should upgrade promptly to prevent unauthorized secret disclosure.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive information stored as Kubernetes Secrets, including credentials, API keys, and certificates. Unauthorized access to these secrets could lead to further compromise of Kafka clusters, lateral movement within cloud-native environments, data breaches, and regulatory non-compliance, especially under GDPR. Since Kafka is often used for critical data streaming and messaging, exposure of secrets could disrupt secure communications and data integrity indirectly. The vulnerability affects any Kubernetes or OpenShift deployment using the vulnerable Strimzi Kafka Operator versions, which are common in cloud-native and containerized environments across Europe. The risk is heightened in multi-tenant or shared cluster environments where namespace boundaries are critical for isolation. The lack of required authentication or user interaction means attackers with network access to the cluster namespace could exploit this flaw. Although no known exploits exist yet, the potential impact on confidentiality and the widespread use of Kubernetes in Europe make this a pressing concern.

European organizations should immediately upgrade Strimzi Kafka Operator to version 0.49.1 or later, where the Kubernetes Role permissions are correctly scoped. Until upgrading is possible, organizations should audit Kubernetes RoleBindings and ClusterRoleBindings associated with Kafka Connect and MirrorMaker 2 operands to ensure they do not grant excessive permissions to Secrets. Implement strict namespace isolation and network segmentation to limit access to the Kubernetes API server and restrict which users or service accounts can deploy or manage Kafka Connect and MirrorMaker 2 components. Employ Kubernetes Pod Security Policies or OPA Gatekeeper policies to enforce least privilege access controls. Regularly rotate Kubernetes Secrets and monitor audit logs for unusual GET requests to Secrets. Additionally, consider using external secret management solutions that provide more granular access controls and auditing capabilities. Finally, ensure that all Kafka-related components run with minimal privileges necessary for their function.