CVE-2026-33557

Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication

Assigner: apache
Reserved: 23.03.2026 Published: 20.04.2026 Updated: 20.04.2026

A possible security vulnerability has been identified in Apache Kafka.

By default, the broker property sasl.oauthbearer.jwt.validator.class is set to org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the preferred_username set to any user, and the broker will accept it.

We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config sasl.oauthbearer.jwt.validator.class to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.

Product Status

Vendor	Apache Software Foundation
Product	Apache Kafka
Versions	Default: unaffected affected from 4.1.0 to 4.1.1 (incl.)

Vendor

Apache Software Foundation

Product

Apache Kafka

Versions

Default: unaffected

affected from 4.1.0 to 4.1.1 (incl.)

Credits

Павел Романов <promanov1994@gmail.com> finder

References

Problem Types

CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input CWE

CVE-2026-33557 PUBLISHED

Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication

Product Status

Credits

References

Problem Types