Maven package
org.apache.kafka/kafka-clients
pkg:maven/org.apache.kafka/kafka-clients
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33558 | Med | 5.3 | >= 0.11.0, < 3.9.2 | 3.9.2 | Apr 20, 2026 | Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensit | |
| CVE-2026-33557 | Cri | 9.1 | >= 4.1.0, < 4.1.2 | 4.1.2 | Apr 20, 2026 | A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, | |
| CVE-2026-35554 | Hig | 8.7 | >= 2.8.0, < 3.9.2 | 3.9.2 | Apr 7, 2026 | A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch | |
| CVE-2025-27817 | — | >= 3.1.0, < 3.9.1 | 3.9.1 | Jun 10, 2025 | A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwk | ||
| CVE-2024-31141 | — | >= 2.3.0, < 3.7.1 | 3.7.1 | Nov 19, 2024 | Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apa | ||
| CVE-2021-38153 | — | >= 2.0.0, < 2.6.3 | 2.6.3 | Sep 22, 2021 | Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnera | ||
| CVE-2017-12610 | Med | 6.8 | >= 0.10.0.0, < 0.10.2.2 | 0.10.2.2 | Jul 26, 2018 | In Apache Kafka 0.10.0.0 to 0.10.2.1 and 0.11.0.0 to 0.11.0.1, authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka. |
- affected >= 0.11.0, < 3.9.2fixed 3.9.2
Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensit
- affected >= 4.1.0, < 4.1.2fixed 4.1.2
A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature,
- affected >= 2.8.0, < 3.9.2fixed 3.9.2
A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch
- CVE-2025-27817Jun 10, 2025affected >= 3.1.0, < 3.9.1fixed 3.9.1
A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwk
- CVE-2024-31141Nov 19, 2024affected >= 2.3.0, < 3.7.1fixed 3.7.1
Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apa
- CVE-2021-38153Sep 22, 2021affected >= 2.0.0, < 2.6.3fixed 2.6.3
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnera
- affected >= 0.10.0.0, < 0.10.2.2fixed 0.10.2.2
In Apache Kafka 0.10.0.0 to 0.10.2.1 and 0.11.0.0 to 0.11.0.1, authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka.