VYPR
Medium severity4.3NVD Advisory· Published Jun 2, 2026· Updated Jun 3, 2026

CVE-2026-41115

CVE-2026-41115

Description

An improper authorization vulnerability has been identified in Apache Kafka.

The implementation of the CONSUMER_GROUP_DESCRIBE (69) API validates the DESCRIBE operation on the GROUP resource instead of the READ operation that documented in the official kafka documentation and the KIP-848. This discrepancy can result in misconfigured Access Control Lists (ACLs) and unintended security postures, like granting READ permission to users who should not be able to join/sync groups, or allowing users without READ permission (but with DESCRIBE permission) to access sensitive group metadata.

The correct permission for CONSUMER_GROUP_DESCRIBE API is DESCRIBE GROUP so the current implementation is correct. However, the kafka documentation as well as the KIP-848 will be updated to reflect the correct permission. We advise the Kafka users to review existing group ACLs to ensure the principle of least privilege.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Apache/Kafka2 versions
    cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:*range: >=4.0.0,<=4.3.0
    • (no CPE)
  • osv-coords
    Range: >= 4.0.0, < 4.3.1

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.