CVE-2026-25999 is an improper authorization vulnerability (CWE-285) found in Aiven-Open's Klaw, an Apache Kafka topic management and governance portal. Klaw facilitates self-service Kafka topic operations across tenants. In versions prior to 2.10.2, the /resetMemoryCache REST endpoint lacks proper access control, allowing unauthorized users with some level of privileges (PR:L - low privileges) to send crafted HTTP requests that reset or delete cached metadata for any tenant. This metadata includes configurations, environment settings, and cluster data critical for Kafka governance. The vulnerability does not require user interaction (UI:N) and can be exploited remotely over the network (AV:N). The impact affects the integrity and availability of Kafka governance data, potentially causing disruption or denial of service in Kafka topic management. The CVSS v3.1 score is 7.1 (high), reflecting the ease of exploitation combined with significant impact on availability and integrity. Although no known exploits are reported in the wild, the vulnerability poses a risk in multi-tenant Kafka environments where attackers could disrupt operations or cause misconfigurations. The issue was publicly disclosed on February 11, 2026, and fixed in Klaw version 2.10.2. Organizations running affected versions should prioritize upgrading and implement strict access controls to the management endpoints to mitigate risk.

The vulnerability allows unauthorized users with limited privileges to reset or delete critical Kafka governance metadata, impacting the integrity and availability of Kafka topic management. This can lead to disruption of Kafka operations, misconfiguration, or denial of service for tenants relying on Klaw for topic governance. In multi-tenant environments, attackers could target other tenants' configurations, causing cross-tenant impact and operational outages. The loss or reset of cached configurations and cluster data may require manual recovery, increasing operational overhead and risk of errors. Organizations relying on Klaw for Kafka governance may experience degraded service reliability and potential data governance issues. The vulnerability could also be leveraged as part of a broader attack chain to disrupt data pipelines or cloud services dependent on Kafka. Although exploitation requires some privileges, the ease of triggering the reset remotely without user interaction increases the threat level.

1. Upgrade Klaw to version 2.10.2 or later, where the vulnerability is fixed. 2. Restrict network access to the /resetMemoryCache endpoint using firewall rules, API gateways, or network segmentation to limit exposure only to trusted administrators. 3. Implement strong authentication and authorization controls for all Klaw management endpoints, ensuring that only fully authorized users can perform sensitive operations. 4. Monitor and audit access logs for unusual or unauthorized requests to the /resetMemoryCache endpoint or other critical APIs. 5. Employ role-based access control (RBAC) to minimize privileges granted to users, reducing the risk of exploitation by low-privilege accounts. 6. In multi-tenant deployments, isolate tenant data and configurations as much as possible to limit cross-tenant impact. 7. Regularly back up Kafka governance metadata and configurations to enable rapid recovery in case of accidental or malicious resets. 8. Conduct security assessments and penetration tests focusing on API endpoints to detect improper authorization issues proactively.