CVE-2026-33558: CWE-533 DEPRECATED: Information Exposure Through Server Log Files in Apache Software Foundation Apache Kafka
Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are: * AlterConfigsRequest * AlterUserScramCredentialsRequest * ExpireDelegationTokenRequest * IncrementalAlterConfigsRequest * RenewDelegationTokenRequest * SaslAuthenticateRequest * createDelegationTokenResponse * describeDelegationTokenResponse * SaslAuthenticateResponse This issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. We advise the Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.
AI Analysis
Technical Summary
CVE-2026-33558 is an information exposure vulnerability in Apache Kafka where the NetworkClient component logs entire request and response details at DEBUG log level. This includes sensitive data from several API requests and responses such as AlterConfigsRequest, SaslAuthenticateRequest, and delegation token requests and responses. The issue affects Kafka versions from 0.11.0 through 3.9.1 and 4.0.0. Users are advised to upgrade to Kafka versions 3.9.2, 4.0.1, or later to mitigate this vulnerability. By default, Kafka logs at INFO level, so the exposure only occurs if DEBUG logging is enabled.
Potential Impact
If DEBUG logging is enabled, sensitive information contained in requests and responses can be exposed in server log files, potentially leaking credentials or configuration details. This could lead to unauthorized information disclosure. However, since the default log level is INFO, this exposure requires deliberate enabling of DEBUG logs.
Mitigation Recommendations
Upgrade Apache Kafka to version 3.9.2, 4.0.1, or later where this issue is fixed. Additionally, avoid enabling DEBUG log level in production environments unless necessary, as it exposes sensitive information in logs. Patch status is not explicitly confirmed in the advisory, but the vendor recommends upgrading to fixed versions.
CVE-2026-33558: CWE-533 DEPRECATED: Information Exposure Through Server Log Files in Apache Software Foundation Apache Kafka
Description
Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are: * AlterConfigsRequest * AlterUserScramCredentialsRequest * ExpireDelegationTokenRequest * IncrementalAlterConfigsRequest * RenewDelegationTokenRequest * SaslAuthenticateRequest * createDelegationTokenResponse * describeDelegationTokenResponse * SaslAuthenticateResponse This issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. We advise the Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33558 is an information exposure vulnerability in Apache Kafka where the NetworkClient component logs entire request and response details at DEBUG log level. This includes sensitive data from several API requests and responses such as AlterConfigsRequest, SaslAuthenticateRequest, and delegation token requests and responses. The issue affects Kafka versions from 0.11.0 through 3.9.1 and 4.0.0. Users are advised to upgrade to Kafka versions 3.9.2, 4.0.1, or later to mitigate this vulnerability. By default, Kafka logs at INFO level, so the exposure only occurs if DEBUG logging is enabled.
Potential Impact
If DEBUG logging is enabled, sensitive information contained in requests and responses can be exposed in server log files, potentially leaking credentials or configuration details. This could lead to unauthorized information disclosure. However, since the default log level is INFO, this exposure requires deliberate enabling of DEBUG logs.
Mitigation Recommendations
Upgrade Apache Kafka to version 3.9.2, 4.0.1, or later where this issue is fixed. Additionally, avoid enabling DEBUG log level in production environments unless necessary, as it exposes sensitive information in logs. Patch status is not explicitly confirmed in the advisory, but the vendor recommends upgrading to fixed versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-03-23T03:46:25.070Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e631a519fe3cd2cdff2604
Added to database: 4/20/2026, 2:01:09 PM
Last enriched: 4/20/2026, 2:17:24 PM
Last updated: 4/21/2026, 7:07:57 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.