VYPR

Maven package

org.apache.kafka/kafka-clients

pkg:maven/org.apache.kafka/kafka-clients

Vulnerabilities (7)

  • CVE-2026-33558MedApr 20, 2026
    affected >= 0.11.0, < 3.9.2fixed 3.9.2

    Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensit

  • CVE-2026-33557CriApr 20, 2026
    affected >= 4.1.0, < 4.1.2fixed 4.1.2

    A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature,

  • CVE-2026-35554HigApr 7, 2026
    affected >= 2.8.0, < 3.9.2fixed 3.9.2

    A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch

  • CVE-2025-27817Jun 10, 2025
    affected >= 3.1.0, < 3.9.1fixed 3.9.1

    A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwk

  • CVE-2024-31141Nov 19, 2024
    affected >= 2.3.0, < 3.7.1fixed 3.7.1

    Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apa

  • CVE-2021-38153Sep 22, 2021
    affected >= 2.0.0, < 2.6.3fixed 2.6.3

    Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnera

  • CVE-2017-12610MedJul 26, 2018
    affected >= 0.10.0.0, < 0.10.2.2fixed 0.10.2.2

    In Apache Kafka 0.10.0.0 to 0.10.2.1 and 0.11.0.0 to 0.11.0.1, authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka.