Kafka OAuth JWT bypass grants unauth access (CVE-2026-33557)

Patch now - CVE-2026-33557 is a critical authentication bypass in Apache Kafka 4.1.0 and 4.1.1 that lets attackers forge self-signed JWT tokens to impersonate any Kafka user. Upgrade to version 4.1.2 or later for the permanent fix.

Overview

A critical authentication bypass vulnerability has been discovered in Apache Kafka. The flaw is present in the default OAuth JWT validator for versions 4.1.0 and 4.1.1, allowing attackers to forge authentication tokens and gain unauthorized access to the Kafka broker.

Vulnerability Details

When Kafka is configured to use OAuth bearer token authentication (SASL_OAUTHBEARER), it relies on a validator class to check the integrity and claims of incoming JSON Web Tokens (JWT). In affected versions, the default validator (org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator) fails to perform critical security checks. It does not validate the token’s cryptographic signature, its issuer (iss claim), or its intended audience (aud claim).

This means an attacker can craft a self-signed JWT token from any source, set the preferred_username claim to any valid Kafka user, and the broker will accept it as legitimate. The vulnerability is tracked as CVE-2026-33557 and has a critical CVSS score of 9.1 due to its network-accessible, low-complexity attack vector requiring no privileges or user interaction.

Impact

The primary impact is a complete bypass of Kafka’s SASL/OAuth authentication. An attacker with network access to the broker could impersonate any user, potentially gaining permissions to produce messages to, or consume messages from, sensitive topics. This could lead to data theft, data corruption, or disruption of streaming data pipelines.

Affected Versions

• Apache Kafka 4.1.0
• Apache Kafka 4.1.1

Versions 4.1.2, 4.2.0, and later contain the fix. Earlier versions (4.0.x and below) are not affected as they do not include the vulnerable DefaultJwtValidator class.

Remediation and Mitigation

The recommended action is to upgrade Kafka to a fixed version (4.1.2 or 4.2.0+). If an immediate upgrade is not possible, a configuration change can mitigate the vulnerability.

Immediate Mitigation (for Kafka 4.1.0/4.1.1): Explicitly set the sasl.oauthbearer.jwt.validator.class broker property to org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator in your server configuration. This validator properly checks JWT signatures and claims. Restart the brokers after applying this change.

Permanent Fix: Upgrade your Kafka deployment to version 4.1.2, 4.2.0, or any subsequent release. The fix ensures the correct BrokerJwtValidator is used by default, restoring proper JWT validation.

Security Insight

This vulnerability underscores the critical risk of “fail-open” defaults in security modules, where a lack of validation is interpreted as success. It mirrors a common pattern seen in other auth systems, such as the JWT library flaws of the past, where missing signature checks led to widespread impersonation. For Apache projects, this incident highlights the need for more rigorous security review of new authentication features before they reach a stable release, especially when they carry a default configuration.

Further Reading

• Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalo
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs