Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM
Description
Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are vulnerable. Authentication data is sent before verifying the server’s TLS certificate matches the hostname, which means authentication data could be exposed to an attacker. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. Because the client sends authentication data before performing hostname verification, an attacker could gain access to the client’s authentication data. The client eventually closes the connection when it verifies the hostname and identifies the targeted hostname does not match a hostname on the certificate. Because the client eventually closes the connection, the value of the intercepted authentication data depends on the authentication method used by the client. Token based authentication and username/password authentication methods are vulnerable because the authentication data can be used to impersonate the client in a separate session. This issue affects Apache Pulsar Java Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Delayed TLS hostname verification in Apache Pulsar Java Client and Proxy allows man-in-the-middle attackers to intercept authentication data before the client validates the server certificate.
Vulnerability
Description
The vulnerability stems from a race condition in the Apache Pulsar Java Client and Pulsar Proxy where TLS hostname verification is performed after authentication data is sent over the connection. This means a client begins sending authentication tokens or credentials before confirming that the server's TLS certificate matches the expected hostname, violating the standard security sequence expected in TLS connections [1].
Exploitation
Conditions
An attacker must achieve a man-in-the-middle position on the network path between the Pulsar client and the legitimate broker or proxy. The attacker must then present a valid, cryptographically signed TLS certificate for an unrelated host to intercept the traffic. Because hostname verification occurs only after the client has already transmitted its authentication payload, the attacker can capture this sensitive data before the client detects the mismatch and closes the connection [1].
Impact on
Authentication
Both token-based and username/password authentication methods are affected, as the intercepted authentication material can be replayed to impersonate the client in a separate session. The exposure window is limited to the short period between authentication transmission and hostname verification, but the leaked credentials remain usable until they expire or are revoked [1].
Mitigation
The vulnerability affects Apache Pulsar Java Client versions 2.7.0 through 2.7.4, 2.8.0 through 2.8.3, 2.9.0 through 2.9.2, 2.10.0, and all 2.6.4 and earlier releases. Organizations should upgrade to a patched version that ensures TLS hostname verification occurs before any authentication data is sent. No workarounds are described beyond following the official upgrade guidance [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.pulsar:pulsar-clientMaven | < 2.7.5 | 2.7.5 |
org.apache.pulsar:pulsar-clientMaven | >= 2.8.0, < 2.8.4 | 2.8.4 |
org.apache.pulsar:pulsar-clientMaven | >= 2.9.0, < 2.9.3 | 2.9.3 |
org.apache.pulsar:pulsar-clientMaven | >= 2.10.0, < 2.10.1 | 2.10.1 |
Affected products
4- Range: <=2.10.0
- Range: <=2.10.0
- Range: 2.10.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-c5fp-x2h5-vjv7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-33681ghsaADVISORY
- github.com/apache/pulsar/tree/db26073728bf86fc80deecaece2dc02b50bbb9b5/pulsar-clientghsaPACKAGE
- lists.apache.org/thread/fpo6x10trvn20hlk0dmnr5vlz5v4kl3dghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.