CVE-2026-33558
Overview
Apache Kafka is an open-source distributed event-streaming platform used for high-throughput, fault-tolerant data pipelines, messaging, and stream processing. Its Java client library (kafka-clients) provides the producer, consumer, and admin APIs that applications use to communicate with a Kafka cluster.
An Information Exposure vulnerability (CVE-2026-33558) has been identified in the kafka-clients library, which allows attackers to recover SASL credentials, SCRAM salts and salted passwords, delegation-token HMACs, and broker configuration values from application log files. When DEBUG logging is enabled on org.apache.kafka.clients.NetworkClient, the client writes the full request and response objects to the log, and several of those objects render their sensitive fields verbatim.
Per OWASP: Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.
This issue affects multiple versions of Apache Kafka, from 0.11.0 up to but not including 3.9.2, as well as 4.0.0.
Details
Module Info
- Product: Apache Kafka
- Affected packages: kafka-clients
- Affected versions: >=0.11.0 <3.9.2, =4.0.0
- GitHub repository: https://github.com/apache/kafka
- Published packages: https://central.sonatype.com/artifact/org.apache.kafka/kafka-clients
- Package manager: Gradle
- Fixed in:
- OSS Apache Kafka: 3.9.2, 4.0.1, 4.1.0
- NES for Apache Kafka 3.1.4
Vulnerability Info
This Medium-severity vulnerability is found in the kafka-clients package. The client class org.apache.kafka.clients.NetworkClient logs the entire request and response object at the DEBUG level on both the send and receive paths:
if (log.isDebugEnabled()) {
log.debug("Sending {} request with header {} and timeout {} to node {}: {}",
clientRequest.apiKey(), header, clientRequest.requestTimeoutMs(), destination, request);
}
// ...
if (log.isDebugEnabled()) {
log.debug("Received {} response from node {} for request with header {}: {}",
req.header.apiKey(), req.destination, req.header, response);
}
Several request and response types render their secret fields in toString(). AbstractRequest declares public final String toString(), so subclasses cannot mask their contents, and the logged object prints the raw underlying data including SASL bytes, SCRAM salts and salted passwords, delegation-token HMACs and IDs, and configuration values. The subclasses include: AlterUserScramCredentialsRequest, IncrementalAlterConfigsRequest, AlterConfigsRequest, the delegation-token create/renew/expire/describe requests and responses, and the SASL authenticate request and response. The default log level is INFO, so exposure occurs only when an operator raises NetworkClient (or an ancestor logger) to DEBUG and the client invokes one of the impacted APIs. The disclosure is passive: anyone able to read the logs, including log-aggregation and SIEM systems, can recover the leaked secrets, which can then be used for network authentication.
Mitigation
Only recent versions of Apache Kafka are community-supported. The affected 3.1.x line is End-of-Life and will not receive public updates to address this issue. There is no publicly available fix for the 3.1.x line; NES for Apache Kafka is the remedy for that line.
Users of the affected components should apply one of the following mitigations:
- Upgrade Apache Kafka to a currently supported release that contains the fix, such as 3.9.2.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- Alyssa Huang from Confluent (finder)
- Luke Chen (finder)