Apache Pulsar: Incorrect Authorization for Function Worker when using mTLS Authentication through Pulsar Proxy
Description
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar.
This issue affects Apache Pulsar: before 2.10.4, and 2.11.0.
When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar Function Worker, the Pulsar Function Worker incorrectly performs authorization by using the Proxy's role for authorization instead of the client's role, which can lead to privilege escalation, especially if the proxy is configured with a superuser role.
The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.4. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.1. 3.0 Pulsar Function Worker users are unaffected. Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Pulsar Function Worker incorrectly authorizes client requests via mTLS proxy, using proxy's role instead of client's, leading to privilege escalation.
Vulnerability
Description
Incorrect authorization vulnerability in Apache Pulsar Function Worker occurs when a client connects via the Pulsar Proxy. When the proxy uses mTLS authentication with the Function Worker, the worker improperly uses the proxy's role for authorization instead of the client's actual role. This flaw affects Pulsar versions before 2.10.4 and 2.11.0 [2].
Exploitation
An attacker can exploit this by connecting to the Function Worker through the Pulsar Proxy configured with mTLS. The proxy authenticates to the worker, and the worker mistakenly inherits the proxy's privileges. If the proxy is assigned a superuser role, the client obtains unauthorized elevated permissions. No additional authentication bypass is needed beyond accessing the system via the proxy [2].
Impact
Successful exploitation leads to privilege escalation, allowing an attacker to perform actions beyond their intended authorization. This could include executing functions, accessing sensitive data, or performing administrative operations that the client should not be permitted [2].
Mitigation
The recommended mitigation is to upgrade the Pulsar Function Worker to patched versions: 2.10.4 or later, or 2.11.1 or later. Users on 2.9.* or earlier should upgrade to one of these versions. Pulsar 3.0 is unaffected [2]. The Apache Pulsar project provides the fix in the official repository [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.pulsar:pulsarMaven | < 2.10.4 | 2.10.4 |
org.apache.pulsar:pulsarMaven | >= 2.11.0, < 2.11.1 | 2.11.1 |
Affected products
3<2.10.4 || =2.11.0+ 1 more
- (no CPE)range: <2.10.4 || =2.11.0
- (no CPE)range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-g9cv-v3v4-3h8rghsaADVISORY
- lists.apache.org/thread/v0gcvvxswr830314q4b1kybsfmcf3jf8ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-30429ghsaADVISORY
News mentions
0No linked articles in our index yet.