CVE-2026-33558

Information Exposure
Affects
Apache Kafka
in
NES for Apache Kafka
No items found.
Versions
>=0.11.0 <3.9.2, =4.0.0

Overview

Apache Kafka is an open-source distributed event-streaming platform used for high-throughput, fault-tolerant data pipelines, messaging, and stream processing. Its Java client library (kafka-clients) provides the producer, consumer, and admin APIs that applications use to communicate with a Kafka cluster.

An Information Exposure vulnerability (CVE-2026-33558) has been identified in the kafka-clients library, which allows attackers to recover SASL credentials, SCRAM salts and salted passwords, delegation-token HMACs, and broker configuration values from application log files. When DEBUG logging is enabled on org.apache.kafka.clients.NetworkClient, the client writes the full request and response objects to the log, and several of those objects render their sensitive fields verbatim.

Per OWASP: Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.

This issue affects multiple versions of Apache Kafka, from 0.11.0 up to but not including 3.9.2, as well as 4.0.0.

Details

Module Info

Vulnerability Info

This Medium-severity vulnerability is found in the kafka-clients package. The client class org.apache.kafka.clients.NetworkClient logs the entire request and response object at the DEBUG level on both the send and receive paths:

if (log.isDebugEnabled()) {
    log.debug("Sending {} request with header {} and timeout {} to node {}: {}",
        clientRequest.apiKey(), header, clientRequest.requestTimeoutMs(), destination, request);
}
// ...
if (log.isDebugEnabled()) {
    log.debug("Received {} response from node {} for request with header {}: {}",
        req.header.apiKey(), req.destination, req.header, response);
}

Several request and response types render their secret fields in toString(). AbstractRequest declares public final String toString(), so subclasses cannot mask their contents, and the logged object prints the raw underlying data including SASL bytes, SCRAM salts and salted passwords, delegation-token HMACs and IDs, and configuration values. The subclasses include:  AlterUserScramCredentialsRequest, IncrementalAlterConfigsRequest, AlterConfigsRequest, the delegation-token create/renew/expire/describe requests and responses, and the SASL authenticate request and response. The default log level is INFO, so exposure occurs only when an operator raises NetworkClient (or an ancestor logger) to DEBUG and the client invokes one of the impacted APIs. The disclosure is passive: anyone able to read the logs, including log-aggregation and SIEM systems, can recover the leaked secrets, which can then be used for network authentication.

Mitigation

Only recent versions of Apache Kafka are community-supported. The affected 3.1.x line is End-of-Life and will not receive public updates to address this issue. There is no publicly available fix for the 3.1.x line; NES for Apache Kafka is the remedy for that line.

Users of the affected components should apply one of the following mitigations:

  • Upgrade Apache Kafka to a currently supported release that contains the fix, such as 3.9.2.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-33558
PROJECT Affected
Apache Kafka
Versions Affected
>=0.11.0 <3.9.2, =4.0.0
NES Versions Affected
Published date
July 1, 2026
≈ Fix date
Category
Information Exposure
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Apache Kafka
Rss feed icon
Subscribe via RSS
or

By submitting the form I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.