Apache Pulsar: Improper Authorization For Topic-Level Policy Management
Description
The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role.
This issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Apache Pulsar users should upgrade to at least 2.10.6. 2.11 Apache Pulsar users should upgrade to at least 2.11.4. 3.0 Apache Pulsar users should upgrade to at least 3.0.3. 3.1 Apache Pulsar users should upgrade to at least 3.1.3. 3.2 Apache Pulsar users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper authorization in Apache Pulsar allows authenticated users with produce/consume permissions to modify topic-level policies, bypassing tenant admin restrictions.
CVE-2024-28098 is an improper authorization vulnerability in Apache Pulsar affecting topic-level policy management. The root cause is that the authorization logic incorrectly grants users with only produce or consume permissions the ability to modify critical topic policies such as retention, TTL, and offloading settings. These operations should require tenant admin or super user roles, but the system fails to enforce this restriction [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.pulsar:pulsar-brokerMaven | >= 3.2.0, < 3.2.1 | 3.2.1 |
org.apache.pulsar:pulsar-brokerMaven | >= 3.1.0, < 3.1.3 | 3.1.3 |
org.apache.pulsar:pulsar-brokerMaven | >= 3.0.0, < 3.0.3 | 3.0.3 |
org.apache.pulsar:pulsar-brokerMaven | >= 2.11.0, < 2.11.4 | 2.11.4 |
org.apache.pulsar:pulsar-brokerMaven | >= 2.7.1, < 2.10.6 | 2.10.6 |
Affected products
3- Range: 2.7.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-g627-r579-rw35ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-28098ghsaADVISORY
- pulsar.apache.org/security/CVE-2024-28098/mitrevendor-advisory
- www.openwall.com/lists/oss-security/2024/03/12/12ghsaWEB
- lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2zghsamailing-listWEB
- pulsar.apache.org/security/CVE-2024-28098ghsaWEB
News mentions
0No linked articles in our index yet.