CVE-2026-33557: CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input in Apache Software Foundation Apache Kafka
A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the `preferred_username` set to any user, and the broker will accept it. We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.
AI Analysis
Technical Summary
The vulnerability in Apache Kafka relates to improper validation of JWT tokens in the SASL OAuthBearer authentication mechanism. By default, the broker property sasl.oauthbearer.jwt.validator.class is set to a validator that does not verify the JWT signature, issuer, or audience, effectively accepting any token. This allows attackers to generate tokens from arbitrary issuers with any preferred_username, bypassing authentication controls. Kafka versions 4.1.2 and later have corrected this by enforcing proper JWT validation. Users running versions 4.1.0 or 4.1.1 should manually set the validator class to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator to prevent exploitation.
Potential Impact
An attacker can impersonate any user by presenting a crafted JWT token that is accepted by the broker without proper validation. This could lead to unauthorized access to Kafka resources and potential data exposure or manipulation. There are no known exploits in the wild at this time.
Mitigation Recommendations
Users running Apache Kafka versions 4.1.0 or 4.1.1 should explicitly set the broker configuration property sasl.oauthbearer.jwt.validator.class to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator to enforce proper JWT validation. Upgrading to Kafka version 4.1.2, 4.2.0, or later is recommended, as these versions include the fix by default. Patch status is not explicitly stated, but the vendor advisory indicates the issue is fixed in later versions.
CVE-2026-33557: CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input in Apache Software Foundation Apache Kafka
Description
A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the `preferred_username` set to any user, and the broker will accept it. We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Apache Kafka relates to improper validation of JWT tokens in the SASL OAuthBearer authentication mechanism. By default, the broker property sasl.oauthbearer.jwt.validator.class is set to a validator that does not verify the JWT signature, issuer, or audience, effectively accepting any token. This allows attackers to generate tokens from arbitrary issuers with any preferred_username, bypassing authentication controls. Kafka versions 4.1.2 and later have corrected this by enforcing proper JWT validation. Users running versions 4.1.0 or 4.1.1 should manually set the validator class to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator to prevent exploitation.
Potential Impact
An attacker can impersonate any user by presenting a crafted JWT token that is accepted by the broker without proper validation. This could lead to unauthorized access to Kafka resources and potential data exposure or manipulation. There are no known exploits in the wild at this time.
Mitigation Recommendations
Users running Apache Kafka versions 4.1.0 or 4.1.1 should explicitly set the broker configuration property sasl.oauthbearer.jwt.validator.class to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator to enforce proper JWT validation. Upgrading to Kafka version 4.1.2, 4.2.0, or later is recommended, as these versions include the fix by default. Patch status is not explicitly stated, but the vendor advisory indicates the issue is fixed in later versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-03-23T03:14:53.527Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e631a519fe3cd2cdff25ff
Added to database: 4/20/2026, 2:01:09 PM
Last enriched: 4/20/2026, 2:17:31 PM
Last updated: 4/21/2026, 7:05:59 AM
Views: 92
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.