Strimzi is an open-source operator that facilitates running Apache Kafka clusters on Kubernetes or OpenShift. Versions 0.47.0 through 0.50.0 of the strimzi-kafka-operator contain a certificate validation vulnerability (CVE-2026-27133) classified under CWE-295 (Improper Certificate Validation) and CWE-296. When configuring trusted certificates for Kafka Connect or Kafka MirrorMaker 2 operands, if a chain of multiple Certificate Authority (CA) certificates is used, the operator incorrectly trusts each CA certificate in the chain individually rather than only the root or final CA. This means that server certificates signed by any intermediate CA in the chain are accepted as valid when connecting to Kafka brokers, instead of restricting trust to certificates signed by the designated root CA. This improper validation undermines the trust model of TLS connections, potentially allowing an attacker who can present a certificate signed by an intermediate CA in the chain to impersonate Kafka brokers or intercept traffic. Exploitation requires high privileges on the cluster to modify the CA chain configuration but does not require user interaction. The vulnerability affects all deployments using the specified Strimzi versions with multi-CA chains in Kafka Connect or MirrorMaker 2 configurations. The issue was addressed and fixed in Strimzi version 0.50.1 by correcting the certificate validation logic to trust only the final CA in the chain as intended.

The vulnerability can lead to unauthorized acceptance of server certificates signed by intermediate CAs, enabling man-in-the-middle (MITM) attacks or unauthorized broker impersonation. This compromises the confidentiality and integrity of Kafka cluster communications, potentially exposing sensitive data streams or allowing injection of malicious data. Organizations relying on Strimzi for Kafka orchestration in Kubernetes or OpenShift environments face risks of data breaches and operational disruption. Since Kafka is often used for critical data pipelines, this vulnerability could affect data analytics, financial transactions, or other sensitive workloads. The requirement for high privileges to exploit limits the attack surface to insiders or attackers who have already compromised cluster credentials. However, the widespread use of Strimzi in cloud-native environments means that many organizations globally could be impacted if they run vulnerable versions and use multi-CA chains. No known exploits are reported in the wild yet, but the medium CVSS score reflects a moderate risk that should be addressed promptly.

The primary mitigation is to upgrade the strimzi-kafka-operator to version 0.50.1 or later, where the certificate validation logic is corrected. Until upgrade is possible, organizations should avoid using multiple CA certificates in the trusted CA chain configuration for Kafka Connect and MirrorMaker 2 operands, limiting to a single trusted CA certificate to reduce risk. Review and audit the CA chain configurations to ensure only intended root CAs are trusted. Implement strict access controls to limit who can modify Strimzi configurations and CA chains, reducing the risk of privilege abuse. Monitor Kafka broker connections and TLS certificate usage for anomalies that could indicate misuse of intermediate CA certificates. Employ network segmentation and zero-trust principles around Kafka clusters to limit exposure. Finally, maintain up-to-date backups and incident response plans in case of compromise.