By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-56128

Incorrectly Configured Access Control
Affects
Apache Kafka
in
Spring
No items found.
Versions
>=0.10.2.0 <3.7.2 =3.8.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Apache Kafka is a distributed streaming platform designed for building real-time data pipelines and event-driven applications at enterprise scale. It offers a high-throughput, fault-tolerant messaging system that enables applications to publish, store, and process continuous streams of records with low latency. 

A security vulnerability (CVE-2024-56128) has been identified in Apache Kafka, affecting kafka-clients and posing elevated risk in deployments that use SCRAM authentication without TLS protection. Because Kafka’s SCRAM implementation failed to verify that the client-supplied nonce in the final handshake message matched the server-issued nonce as required by RFC 5802, an attacker with plaintext visibility into the authentication exchange could manipulate the SCRAM flow and compromise its integrity. Deployments using SCRAM over TLS are not impacted, but systems relying on SCRAM over insecure channels may be exposed and should upgrade to a version that includes proper nonce validation.

Per OWASP: Improper Validation of Certificate with Host Mismatch occurs when an application accepts a certificate without confirming that its subject matches the expected host, weakening the guarantees provided by TLS. When hostname verification is missing or incorrectly implemented, attackers can present a valid certificate for a different domain, enabling man-in-the-middle interception, traffic manipulation, or impersonation of trusted services. Without strict hostname checking, applications may unknowingly communicate with untrusted endpoints, exposing sensitive data and undermining the security of encrypted connections.

This issue affects multiple versions of Apache Kafka kafka-clients.

Details

Module Info

Vulnerability Info

This medium-severity vulnerability is found in the kafka-client package in all published versions of Apache Kafka.

Kafka’s SCRAM mechanism is designed to mutually confirm both client and server values during the authentication handshake, including verification that the final client nonce matches the server-provided nonce. However, the implementation did not perform this required check, allowing an attacker with plaintext access to the SCRAM exchange to tamper with authentication message contents. When SCRAM is used over non-TLS channels, this gap weakens the integrity of the authentication flow and could permit manipulation of the handshake. Deployments using SCRAM exclusively over TLS are protected, while those using SASL_PLAINTEXT are at risk and should upgrade to a version that includes proper nonce validation.

Steps To Reproduce

Use a Kafka deployment configured with SASL_PLAINTEXT and SCRAM authentication, then initiate a SCRAM handshake in which the final client message does not maintain the correct server-issued nonce. In affected versions, the server accepts the message despite the mismatch.

Proof Of Concept

In vulnerable configurations, if an attacker can observe or interfere with the SCRAM messages sent over an unencrypted channel, the server will accept a final client message containing a modified nonce because the expected RFC-mandated verification was missing. This demonstrates how the authentication flow can be influenced when SCRAM is used without TLS.

Mitigation

Only recent versions of Apache Kafka are community-supported. Only the recent community supported version will receive updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Apache Kafka
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credit

  • Tim Fox (timvolpe@gmail.com)

Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2024-56128
PROJECT Affected
Apache Kafka
Versions Affected
>=0.10.2.0 <3.7.2 =3.8.0
Published date
December 16, 2025
≈ Fix date
November 15, 2025
Fixed in
NES for Spring
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Incorrectly Configured Access Control
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.