Apache Software Foundation Apache Kafka vulnerabilities

CVE-2025-27818 [HIGH] CWE-502 CVE-2025-27818: A possible security vulnerability has been identified in Apache Kafka. This requires access to a alt A possible security vulnerability has been identified in Apache Kafka. This requires access to a alterConfig to the cluster resource, or Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on Kafka clusters since Apache Kafka

CVE-2025-27819 [HIGH] CWE-502 Apache Kafka: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration Apache Kafka: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability,

CVE-2024-56128 [MEDIUM] CWE-303 CVE-2024-56128: Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Summary: Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 [1]. Specifically, as per RFC 5802, the server must verify that the nonce sent by the client i

CVE-2024-27309 [HIGH] CWE-863 CVE-2024-27309: While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACL While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administrator decides to remove an ACL 2. The resource associated with the removed ACL continues to have two or more other ACLs associated with it after the remov

CVE-2023-25194 [HIGH] CWE-502 CVE-2023-25194: A possible security vulnerability has been identified in Apache Kafka Connect API. This requires acc A possible security vulnerability has been identified in Apache Kafka Connect API. This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka Connect 2.3.0. When

CVE-2022-34917 [HIGH] CWE-789 CVE-2022-34917: A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. T A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial of service. Example scenarios: - Kafka cluster without authentication: Any

CVE-2021-38153 [MEDIUM] CWE-203 CVE-2021-38153: Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerab Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0

CVE-2017-12610 [MEDIUM] CWE-287 CVE-2017-12610: In Apache Kafka 0.10.0.0 to 0.10.2.1 and 0.11.0.0 to 0.11.0.1, authenticated Kafka clients may use i In Apache Kafka 0.10.0.0 to 0.10.2.1 and 0.11.0.0 to 0.11.0.1, authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka.

CVE-2018-1288 [MEDIUM] CVE-2018-1288: In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authentic In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.