Apache Pulsar: Broker does not always disconnect client when authentication data expires
Description
Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a client connects directly to a broker with a specially crafted connect command when the broker is configured with authenticateOriginalAuthData=false.
This issue affects Apache Pulsar: through 2.9.4, from 2.10.0 through 2.10.3, 2.11.0.
2.9 Pulsar Broker users should upgrade to at least 2.9.5. 2.10 Pulsar Broker users should upgrade to at least 2.10.4. 2.11 Pulsar Broker users should upgrade to at least 2.11.1. 3.0 Pulsar Broker users are unaffected. Any users running the Pulsar Broker for 2.8.* and earlier should upgrade to one of the above patched versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-31007: Apache Pulsar Broker improper authentication allows a client to stay connected after credentials expire when authenticateOriginalAuthData is disabled.
Vulnerability
Overview
CVE-2023-31007 is an Improper Authentication vulnerability in Apache Pulsar Broker. The flaw allows a client to remain connected to a broker after its authentication data expires. This occurs when the broker is configured with authenticateOriginalAuthData=false and the client connects through the Pulsar Proxy, or when a client connects directly using a specially crafted connect command under the same configuration [1][2].
Exploitation
Conditions
Exploitation requires a specific broker configuration (authenticateOriginalAuthData=false). This setting is typically used in deployments where the Pulsar Proxy handles initial authentication, but the broker does not re-verify the client's credentials after the proxy session. An attacker who initially authenticates (or gains access via a valid credential) can then send a crafted connect command to bypass subsequent authentication checks, maintaining a persistent connection [2].
Impact
An attacker exploiting this vulnerability can maintain unauthorized access to a Pulsar broker beyond the token's expiration period. This could lead to continued message production or consumption, access to sensitive data, or other broker operations without proper authorization, compromising the security of the messaging system [1][2].
Mitigation
Apache Pulsar has released patched versions: 2.9.5, 2.10.4, and 2.11.1. Users of versions through 2.9.4, 2.10.0 through 2.10.3, and 2.11.0 should upgrade immediately. Version 3.0 and later are unaffected. Administrators should also review their configuration of authenticateOriginalAuthData to ensure alignment with security requirements [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.pulsar:pulsar-brokerMaven | >= 2.9.0, < 2.10.4 | 2.10.4 |
org.apache.pulsar:pulsar-brokerMaven | >= 2.11.0, < 2.11.1 | 2.11.1 |
Affected products
3- Range: <=2.9.4, 2.10.0-2.10.3, 2.11.0
- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-47r2-phr8-m8cpghsaADVISORY
- lists.apache.org/thread/qxn99xxyp0zv6jchjggn3soyo5gvqfxjghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-31007ghsaADVISORY
News mentions
0No linked articles in our index yet.