CVE-2026-41115: CWE-285 Improper Authorization in Apache Software Foundation Apache Kafka
An improper authorization issue exists in Apache Kafka 4. 0. 0 related to the CONSUMER_GROUP_DESCRIBE API. The implementation validates the DESCRIBE operation on the GROUP resource instead of the READ operation as documented, causing discrepancies between actual behavior and official documentation. This may lead to misconfigured ACLs, potentially granting users unintended access to group metadata. The implementation is correct, but documentation and KIP-848 will be updated to align with it. Users are advised to review ACLs to ensure least privilege is maintained.
AI Analysis
Technical Summary
CVE-2026-41115 identifies an improper authorization vulnerability in Apache Kafka 4.0.0 where the CONSUMER_GROUP_DESCRIBE API enforces DESCRIBE permissions on GROUP resources rather than READ permissions as stated in Kafka documentation and KIP-848. This mismatch can cause administrators to misconfigure ACLs, inadvertently granting users access to sensitive group metadata or allowing users without READ permission but with DESCRIBE permission to access group information. The actual implementation is correct, and the vendor plans to update documentation to reflect this. Users should audit existing group ACLs to maintain proper access control.
Potential Impact
The impact is primarily administrative and configuration-based. Misalignment between implementation and documentation can lead to ACL misconfigurations, potentially allowing unauthorized users to access or synchronize consumer group metadata. There is no indication of a direct exploit or code-level bypass, but improper ACLs could expose sensitive group information.
Mitigation Recommendations
No official patch or fix is currently indicated. The vendor confirms the implementation is correct and will update documentation and KIP-848 accordingly. Users should review and audit existing consumer group ACLs to ensure they follow the principle of least privilege and do not grant excessive permissions based on outdated documentation.
CVE-2026-41115: CWE-285 Improper Authorization in Apache Software Foundation Apache Kafka
Description
An improper authorization issue exists in Apache Kafka 4. 0. 0 related to the CONSUMER_GROUP_DESCRIBE API. The implementation validates the DESCRIBE operation on the GROUP resource instead of the READ operation as documented, causing discrepancies between actual behavior and official documentation. This may lead to misconfigured ACLs, potentially granting users unintended access to group metadata. The implementation is correct, but documentation and KIP-848 will be updated to align with it. Users are advised to review ACLs to ensure least privilege is maintained.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-41115 identifies an improper authorization vulnerability in Apache Kafka 4.0.0 where the CONSUMER_GROUP_DESCRIBE API enforces DESCRIBE permissions on GROUP resources rather than READ permissions as stated in Kafka documentation and KIP-848. This mismatch can cause administrators to misconfigure ACLs, inadvertently granting users access to sensitive group metadata or allowing users without READ permission but with DESCRIBE permission to access group information. The actual implementation is correct, and the vendor plans to update documentation to reflect this. Users should audit existing group ACLs to maintain proper access control.
Potential Impact
The impact is primarily administrative and configuration-based. Misalignment between implementation and documentation can lead to ACL misconfigurations, potentially allowing unauthorized users to access or synchronize consumer group metadata. There is no indication of a direct exploit or code-level bypass, but improper ACLs could expose sensitive group information.
Mitigation Recommendations
No official patch or fix is currently indicated. The vendor confirms the implementation is correct and will update documentation and KIP-848 accordingly. Users should review and audit existing consumer group ACLs to ensure they follow the principle of least privilege and do not grant excessive permissions based on outdated documentation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-17T03:09:02.257Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1eaa80e29bf47b50bc54b6
Added to database: 6/2/2026, 10:03:44 AM
Last enriched: 6/2/2026, 10:19:04 AM
Last updated: 6/2/2026, 12:51:40 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.