Strimzi is an open-source project that facilitates running Apache Kafka clusters on Kubernetes and OpenShift environments. Between versions 0.47.0 and before 0.49.1, a vulnerability (CVE-2025-66623) exists due to the creation of an incorrect Kubernetes Role. This misconfiguration grants the Kafka Connect and Kafka MirrorMaker 2 components GET permissions on all Kubernetes Secrets within the namespace. Kubernetes Secrets often contain sensitive data such as credentials, tokens, and certificates. The vulnerability arises from improper role-based access control (RBAC) definitions, violating the principle of least privilege. The CVSS 3.1 score is 7.4 (high), reflecting that the vulnerability can be exploited remotely (attack vector: adjacent network), requires no privileges or user interaction, and results in a complete confidentiality breach (high impact on confidentiality, no impact on integrity or availability). The scope is changed because the vulnerability affects multiple components and potentially multiple namespaces if misconfigured. The flaw is fixed in Strimzi version 0.49.1 by correcting the Kubernetes Role permissions to restrict access appropriately. No public exploits are known, but the vulnerability poses a significant risk in multi-tenant or sensitive environments where Kubernetes Secrets are used to store critical information.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive information such as database credentials, API keys, and TLS certificates stored as Kubernetes Secrets. This exposure can facilitate further attacks including lateral movement, privilege escalation, or data exfiltration. Organizations using Strimzi Kafka operators in production Kubernetes or OpenShift clusters, especially in sectors like finance, healthcare, and critical infrastructure, face increased risk of data breaches and compliance violations (e.g., GDPR). The vulnerability's ease of exploitation without authentication means attackers with network access to the Kubernetes cluster namespace can exploit it. This could undermine trust in cloud-native deployments and disrupt business operations if sensitive secrets are compromised. Although no active exploits are reported, the potential impact on confidentiality and the widespread use of Strimzi in European cloud-native environments make this a critical concern.

European organizations should immediately upgrade Strimzi Kafka Operator to version 0.49.1 or later, where the issue is fixed. Until upgrade is possible, restrict network access to Kubernetes namespaces running Strimzi components to trusted users and systems only. Review and audit Kubernetes RBAC roles and bindings related to Kafka Connect and MirrorMaker 2 to ensure they do not grant excessive permissions, particularly GET access to Secrets. Implement Kubernetes admission controllers or policy engines (e.g., OPA Gatekeeper) to enforce least privilege and prevent creation of overly permissive roles. Rotate any secrets that may have been exposed if the vulnerable versions were in use. Monitor Kubernetes audit logs for suspicious access to Secrets. Consider isolating Kafka Connect and MirrorMaker 2 workloads into separate namespaces with minimal privileges. Educate DevOps and security teams on secure RBAC practices and the importance of timely patching in Kubernetes environments.