Disabled Hostname Verification makes Brokers, Proxies vulnerable to MITM attack
Description
TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle attacks, which could leak credentials, configuration data, message data, and any other data sent by these clients. The vulnerability is for both the pulsar+ssl protocol and HTTPS. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. This issue affects Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Pulsar clients fail to enable TLS hostname verification, allowing man-in-the-middle attacks that leak credentials and data.
Vulnerability
Overview
The TLS hostname verification feature cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client [1]. This leaves intra-cluster connections and geo-replication connections vulnerable to man-in-the-middle (MITM) attacks. The vulnerability affects Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.7.0 to 2.7.4, 2.8.0 to 2.8.3, 2.9.0 to 2.9.2, 2.10.0, and 2.6.4 and earlier [1].
Exploitation
Conditions
An attacker must control a machine positioned between the client and the server, then actively manipulate traffic by presenting a cryptographically valid certificate for an unrelated host [1]. The vulnerability applies to both the pulsar+ssl protocol and HTTPS [1].
Impact
Successful exploitation could leak credentials, configuration data, message data, and any other data sent by these clients [1].
Mitigation
As of the publication date, the vulnerability is inherent in the affected versions because hostname verification cannot be enabled [1]. Users should restrict network access to trusted hosts, monitor for updates from Apache, and plan to upgrade to a version that implements hostname verification once available.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.pulsar:pulsar-brokerMaven | < 2.7.5 | 2.7.5 |
org.apache.pulsar:pulsar-proxyMaven | < 2.7.5 | 2.7.5 |
org.apache.pulsar:pulsar-brokerMaven | >= 2.8.0, < 2.8.4 | 2.8.4 |
org.apache.pulsar:pulsar-proxyMaven | >= 2.8.0, < 2.8.4 | 2.8.4 |
org.apache.pulsar:pulsar-brokerMaven | >= 2.9.0, < 2.9.3 | 2.9.3 |
org.apache.pulsar:pulsar-proxyMaven | >= 2.9.0, < 2.9.3 | 2.9.3 |
org.apache.pulsar:pulsar-brokerMaven | >= 2.10.0, < 2.10.1 | 2.10.1 |
org.apache.pulsar:pulsar-proxyMaven | >= 2.10.0, < 2.10.1 | 2.10.1 |
Affected products
6- Range: 2.7.0-2.7.4, 2.8.0-2.8.3, 2.9.0-2.9.2, 2.10.0, <=2.6.4
- Range: 2.7.0-2.7.4, 2.8.0-2.8.3, 2.9.0-2.9.2, 2.10.0, <=2.6.4
- Range: 2.7.0-2.7.4, 2.8.0-2.8.3, 2.9.0-2.9.2, 2.10.0, <=2.6.4
- ghsa-coords2 versions
< 2.7.5+ 1 more
- (no CPE)range: < 2.7.5
- (no CPE)range: < 2.7.5
- Range: 2.10.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-jvf3-mfxv-jcqrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-33682ghsaADVISORY
- lists.apache.org/thread/l0ynfl161qghwfcgbbl8ld9hzbl9t3yxghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.