Apache Kafka - 30 CVEs (Page 1/1)

About “Apache Kafka”

A curated feed of “Apache Kafka”-related CVEs appears below. We currently track 30 CVEs for this tag (all time). In the last 365 days, 15 were published. Average CVSS is 7.0 (all time; 7.1 over 365d), and 60% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-502 - Deserialization of Untrusted Data, CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor, CWE-285 - Improper Authorization.

In our taxonomy this topic maps to a MODERATE impact class. Message brokers and streaming platforms require strict ACLs and TLS. Patch brokers and clients, isolate management ports, limit anonymous access, and set resource limits. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: apache-kafka

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

Cycle	Release	Latest	Extended Support	EOL
4.3	2026-05-20	4.3.0	Unavailable	-
4.2	2026-02-17	4.2.1	2028-03-04	-
4.1	2025-09-02	4.1.2	2027-10-15	-
4.0	2025-03-18	4.0.2	2027-06-11	-
3.9	2024-11-06	3.9.2	2027-02-19	-
3.8	2024-07-26	3.8.1	2026-12-02	2024-11-06 Expired
3.7	2024-02-26	3.7.2	2026-07-26	2024-07-26 Expired
3.6	2023-10-03	3.6.2	2026-02-09	2024-02-27 Expired
3.5	2023-06-13	3.5.2	2025-08-25	2023-10-03 Expired
3.4	2023-02-06	3.4.1	2025-05-03	2023-06-13 Expired
3.3	2022-09-28	3.3.2	2024-11-04	2023-02-06 Expired
3.2	2022-05-09	3.2.3	2024-07-06	2022-09-28 Expired
3.1	2022-01-21	3.1.2	2024-04-05	2022-09-19 Expired
3.0	2021-09-20	3.0.2	2023-10-27	2022-09-19 Expired
2.8	2021-04-18	2.8.2	2023-06-08	2022-09-19 Expired
2.7	2020-12-19	2.7.2	2023-02-09	2021-11-15 Expired
2.6	2020-08-03	2.6.3	2022-09-24	2021-11-15 Expired
2.5	2020-04-14	2.5.1	2022-04-24	2020-08-10 Expired
2.4	2019-12-14	2.4.1	2022-01-10	2020-04-15 Expired
2.3	2019-06-24	2.3.1	2021-07-19	2019-12-16 Expired
2.2	2019-03-22	2.2.2	2021-03-28	2019-12-01 Expired
2.1	2018-11-20	2.1.1	2020-12-14	2019-03-22 Expired
2.0	2018-07-28	2.0.1	2020-07-31	2018-11-20 Expired
1.1	2018-03-28	1.1.1	2020-04-16	2018-07-30 Expired
1.0	2017-10-31	1.0.2	2019-11-28	2018-07-08 Expired
0.11	2017-06-28	0.11.0.3	2019-08-01	2018-07-02 Expired
0.10	2016-05-22	0.10.2.2	2019-03-02	2018-07-02 Expired
0.9	2015-11-23	0.9.0.1	2017-12-07	2016-05-22 Expired
0.8	2013-12-03	0.8.2.2	Unavailable	2015-11-23 Expired
0.7	2012-01-04	0.7.2	Unavailable	2013-12-03 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS · RSS (expired) · ICS

Subscribe CVEs: RSS for “Apache Kafka” · RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0

2026-06-02

Medium

CVE-2026-45080

Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4, improper access control allows disclosure of password hash. This issue has been patched in versio…

CVSS: 6.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD

Low

CVE-2026-44367

Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4, a vulnerability exists in the user registration and login mechanisms due to inconsistent handling…

CVSS: 2.7 CWE: CWE-20 - Improper Input Validation View on NVD

Medium

CVE-2026-41115

An improper authorization vulnerability has been identified in Apache Kafka. The implementation of the CONSUMER_GROUP_DESCRIBE (69) API validates the DESCRIBE operation on the GROUP resource instead…

CVSS: 4.3 CWE: CWE-285 - Improper Authorization View on NVD

2026-04-20

Medium

CVE-2026-33558

Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By defau…

CVSS: 5.3 CWE: CWE-533 View on NVD

Critical

CVE-2026-33557

A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.…

CVSS: 9.1 CWE: CWE-1285 - Improper Validation of Specified Index, Position, or Offset in Input View on NVD

2026-04-07

High

CVE-2026-35554

A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeo…

CVSS: 8.7 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD

2026-02-21

High

CVE-2026-27134

Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. In versions 0.49.0 through 0.50.0, when using a custom Cluster or Clients CA wi…

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD

2026-02-20

Medium

CVE-2026-27133

Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 to before 0.50.1, when a chain consisting of multiple CA (Certificat…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD

2026-02-11

High

CVE-2026-25999

Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to 2.10.2, there is an improper access control vulnerability that allows unauthorized users to trigger a reset or de…

CVSS: 7.1 CWE: CWE-285 - Improper Authorization View on NVD

2026-01-16

High

CVE-2026-23529

Kafka Connect BigQuery Connector is an implementation of a sink connector from Apache Kafka to Google BigQuery. Prior to 2.11.0, there is an arbitrary file read in Google BigQuery Sink connector. Aiv…

CVSS: 7.7 CWE: CWE-73 - External Control of File Name or Path View on NVD

2025-12-05

High

CVE-2025-66623

Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 and prior to 0.49.1, in some situations, Strimzi creates an incorrec…

CVSS: 7.4 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD

2025-06-10

High

CVE-2025-27819

In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apa…

CVSS: 7.5 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD

High

CVE-2025-27818

A possible security vulnerability has been identified in Apache Kafka. This requires access to a alterConfig to the cluster resource, or Kafka Connect worker, and the ability to create/modify connect…

CVSS: 8.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD

High

CVE-2025-27817

A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the b…

CVSS: 7.5 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD

2025-06-06

High

CVE-2025-49127

Kafbat UI is a web user interface for managing Apache Kafka clusters. An unsafe deserialization vulnerability in version 1.0.0 allows any unauthenticated user to execute arbitrary code on the server.…

CVSS: 8.9 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD

2025-04-09

Medium

CVE-2025-30677

Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive confi…

CVSS: 6.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD

2024-12-18

Medium

CVE-2024-56128

Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Summary: Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (S…

CVSS: 5.3 CWE: CWE-303 - Incorrect Implementation of Authentication Algorithm View on NVD

2024-11-19

Medium

CVE-2024-31141

Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and…

CVSS: 6.5 CWE: CWE-269 - Improper Privilege Management View on NVD

2024-06-19

High

CVE-2024-32030

Kafka UI is an Open-Source Web UI for Apache Kafka Management. Kafka UI API allows users to connect to different Kafka brokers by specifying their network address and port. As a separate feature, it…

CVSS: 8.1 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD

2024-04-12

High

CVE-2024-27309

While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administ…

CVSS: 7.4 CWE: CWE-863 - Incorrect Authorization View on NVD

2023-12-12

High

CVE-2023-36648

Missing authentication in the internal data streaming system in ProLion CryptoSpike 3.0.15P2 allows remote unauthenticated users to read potentially sensitive information and deny service to users by…

CVSS: 8.2 CWE: CWE-287 - Improper Authentication View on NVD

2023-08-24

Medium

CVE-2023-34040

In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have t…

CVSS: 5.3 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD

2023-02-07

High

CVE-2023-25194

A possible security vulnerability has been identified in Apache Kafka Connect API. This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary…

CVSS: 8.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD

2022-09-20

High

CVE-2022-34917

A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on br…

CVSS: 7.5 CWE: CWE-789 - Memory Allocation with Excessive Size Value View on NVD

2021-09-22

Medium

CVE-2021-38153

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successfu…

CVSS: 5.9 CWE: CWE-203 - Observable Discrepancy View on NVD

2020-01-14

High

CVE-2019-12399

When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to…

CVSS: 7.5 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD

2019-07-11

High

CVE-2018-17196

In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation. Only authenticated clients with Write per…

CVSS: 8.8 CWE: N/A View on NVD

2018-11-06

High

CVE-2018-12413

The Schema repository server (tibschemad) component of TIBCO Software Inc.'s TIBCO Messaging - Apache Kafka Distribution - Schema Repository - Community Edition, and TIBCO Messaging - Apache Kafka Di…

CVSS: 7.5 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD

2018-07-26

Medium

CVE-2018-1288

In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request in…

CVSS: 5.4 CWE: N/A View on NVD

Medium

CVE-2017-12610

In Apache Kafka 0.10.0.0 to 0.10.2.1 and 0.11.0.0 to 0.11.0.1, authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication w…

CVSS: 6.8 CWE: CWE-287 - Improper Authentication View on NVD