Unrated severityNVD Advisory· Published Jun 2, 2026· Updated Jun 2, 2026

CVE-2026-41115

Description

An improper authorization vulnerability has been identified in Apache Kafka.

The implementation of the CONSUMER_GROUP_DESCRIBE (69) API validates the DESCRIBE operation on the GROUP resource instead of the READ operation that documented in the official kafka documentation and the KIP-848. This discrepancy can result in misconfigured Access Control Lists (ACLs) and unintended security postures, like granting READ permission to users who should not be able to join/sync groups, or allowing users without READ permission (but with DESCRIBE permission) to access sensitive group metadata.

The correct permission for CONSUMER_GROUP_DESCRIBE API is DESCRIBE GROUP so the current implementation is correct. However, the kafka documentation as well as the KIP-848 will be updated to reflect the correct permission. We advise the Kafka users to review existing group ACLs to ensure the principle of least privilege.

Affected products

Apache/Kafkallm-fuzzy

Patches

e4b9bbd9f96b

MINOR: fix doc for CVE-2026-41115 (#22447)

https://github.com/apache/kafkaLuke ChenJun 2, 2026via github-commit-search

commit

1 file changed · +1 −1

docs/security/authorization-and-acls.md+1 −1 modified

@@ -2252,7 +2252,7 @@ CONSUMER_GROUP_DESCRIBE (69)
 </td>  
 <td>
 
-Read
+Describe
 </td>  
 <td>

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

kafka.apache.org/cve-listnvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000