Pulsar Admin API allows access to data from other tenants using getMessageById API
Description
In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed to be a valid it for the topic. Authorisation controls are performed against the topic name and there is not proper validation the that ledger id is valid in the context of such ledger. So it may happen that the user is able to read from a ledger that contains data owned by another tenant. This issue affects Apache Pulsar Apache Pulsar version 2.8.0 and prior versions; Apache Pulsar version 2.7.3 and prior versions; Apache Pulsar version 2.6.4 and prior versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Pulsar's Admin API get-message-by-id lacks validation of ledger IDs, allowing authenticated users to read data from other tenants' BookKeeper ledgers.
Vulnerability
In Apache Pulsar versions 2.8.0 and prior, 2.7.3 and prior, and 2.6.4 and prior, the Admin API get-message-by-id endpoint accepts a topic and a ledger ID. Authorization checks are performed only on the topic name, but the ledger ID is not validated to ensure it belongs to that topic. This allows a user to specify a ledger ID from another tenant's data, bypassing access controls [2].
Exploitation
An attacker must have authenticated access to the Pulsar Admin API and know a valid ledger ID from another tenant. The attacker sends a request to get-message-by-id with a topic they have access to and a ledger ID that points to data owned by a different tenant. The server does not verify that the ledger ID is associated with the given topic, so it returns the message from the foreign ledger [2].
Impact
Successful exploitation leads to unauthorized reading of messages stored in BookKeeper ledgers that belong to other tenants. This results in information disclosure, potentially exposing sensitive data. The attacker gains access to data they are not authorized to view, violating multi-tenant isolation [2].
Mitigation
The issue is fixed in Apache Pulsar versions 2.8.1, 2.7.4, and 2.6.5 [1][3]. Users should upgrade to these versions or later. The fix adds validation to ensure the ledger ID corresponds to the requested topic [3]. No workaround is available for unpatched versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.pulsar:pulsarMaven | <= 2.6.4 | — |
org.apache.pulsar:pulsarMaven | >= 2.7.0, < 2.7.4 | 2.7.4 |
org.apache.pulsar:pulsarMaven | >= 2.8.0, < 2.8.1 | 2.8.1 |
Affected products
2- Range: Apache Pulsar
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-3whx-qrj5-hh2hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41571ghsaADVISORY
- github.com/apache/pulsar/issues/11814ghsax_refsource_MISCWEB
- github.com/apache/pulsar/pull/11852ghsaWEB
- github.com/apache/pulsar/pull/11912ghsaWEB
- github.com/apache/pulsar/pull/11913ghsaWEB
- github.com/apache/pulsar/releases/tag/v2.7.4ghsaWEB
- github.com/apache/pulsar/releases/tag/v2.8.1ghsaWEB
- lists.apache.org/thread/8n3k7pvyh4cf9q2jfzb6pb32ync6xlvrghsax_refsource_MISCWEB
- pulsar.apache.org/admin-rest-api/ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.