Kafka UI 0.7.1 Command Injection

An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/topic/messages. id: CVE-2023-52251 info: name: Kafka UI 0.7.1 Command Injection author: yhy0,iamnoooob severity: high description: | An...

Apache Kafka Client - Arbitrary File Read

Apache Kafka Client contains arbitrary file read and server-side request forgery caused by untrusted configuration of sasl.oauthbearer.token.endpoint.url and sasl.oauthbearer.jwks.endpoint.url, letting attackers read files or send requests to unintended locations, exploit requires untrusted party...

ROOT-APP-MAVEN-CVE-2024-31141 CVE-2024-31141 in io.root.org.apache.kafka:kafka-clients - Patched by Root

Root has patched CVE-2024-31141 in the io.root.org.apache.kafka:kafka-clients package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-35554 CVE-2026-35554 in io.root.org.apache.kafka:kafka-clients - Patched by Root

Root has patched CVE-2026-35554 in the io.root.org.apache.kafka:kafka-clients package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-33558 CVE-2026-33558 in io.root.org.apache.kafka:kafka-clients - Patched by Root

Root has patched CVE-2026-33558 in the io.root.org.apache.kafka:kafka-clients package for Root:Maven. Multiple fixed versions available...

CVE-2026-55226

When deploying only the Topic Operator or only the User Operator via the Kafka custom resource, the Entity Operator's ServiceAccount retains RBAC rights for both operators rather than scoping permissions to the one actually deployed. This allows the ServiceAccount to access KafkaUser custom...

ROOT-APP-MAVEN-CVE-2025-27817 CVE-2025-27817 in io.root.org.apache.kafka:kafka-clients - Patched by Root

Root has patched CVE-2025-27817 in the io.root.org.apache.kafka:kafka-clients package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2024-56128 CVE-2024-56128 in io.root.org.apache.kafka:kafka_2.12 - Patched by Root

Root has patched CVE-2024-56128 in the io.root.org.apache.kafka:kafka2.12 package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2025-27818 CVE-2025-27818 in io.root.org.apache.kafka:kafka_2.12 - Patched by Root

Root has patched CVE-2025-27818 in the io.root.org.apache.kafka:kafka2.12 package for Root:Maven. Multiple fixed versions available...

CVE-2026-41731

A flaw was found in the spring-kafka component. A remote attacker, by supplying crafted header values, could exploit a vulnerability in JsonKafkaHeaderMapper and DefaultKafkaHeaderMapper that incorrectly matched type headers against trusted packages. This issue, combined with Jackson's default be...

Apache Druid Kafka Connect - Remote Code Execution

The vulnerability has the potential to enable a remote attacker with authentication to run any code on the system. This is due to unsafe deserialization that occurs during the configuration of the connector through the Kafka Connect REST API id: CVE-2023-25194 info: name: Apache Druid Kafka Conne...

Linux Distros Unpatched Vulnerability : CVE-2026-10143

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling that allows a malicious or machine-in-the-middle broker ...

GHSA-H2QV-FJ59-J46J vulnerabilities

Vulnerabilities for packages: apache-hop, apache-hop-fips, hono, management-api-for-apache-cassandra-5.0, knative-kafka-broker-fips, thingsboard, zipkin, apicurio-registry, pinot, keycloak-fips, pinot-fips, celeborn, apache-activemq-artemis, neo4j, knative-kafka-broker, request-9047-keycloak-fips...

CVE-2026-48059 vulnerabilities

Vulnerabilities for packages: apache-hop, apache-hop-fips, hono, management-api-for-apache-cassandra-5.0, knative-kafka-broker-fips, thingsboard, zipkin, apicurio-registry, pinot, keycloak-fips, pinot-fips, celeborn, apache-activemq-artemis, neo4j, knative-kafka-broker, request-9047-keycloak-fips...

CVE-2026-10142

A flaw was found in kafka-python. A malicious broker or a machine-in-the-middle attacker can exploit a denial-of-service vulnerability in the protocol parser. By sending a specially crafted 4-byte frame length value without proper bounds validation, an attacker can trigger excessive memory...

SUSE CVE-2026-10142

kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in the protocol parser that allows a malicious broker or machine-in-the-middle attacker to exhaust memory or hang connections by sending a crafted 4-byte frame length value without bounds validation. Attackers can send a...

SUSE CVE-2026-10143

kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling that allows a malicious or machine-in-the-middle broker to freeze the client event loop by supplying an excessively large iteration count. In scram.py, ScramClient.processserverfirstmessage...

Linux Distros Unpatched Vulnerability : CVE-2026-10142

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in the protocol parser that allows a malicious broker or machine-in-the-middle attacker t...

CVE-2026-41726

A flaw was found in spring-kafka. When an application uses the DelegatingDeserializer, a malicious producer can exploit this vulnerability by sending records with unique, random spring.kafka.serialization.selector header values. This can cause the consumer's memory heap to grow without limits,...

EUVD-2026-36128

kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling that allows a malicious or machine-in-the-middle broker to freeze the client event loop by supplying an excessively large iteration count. In scram.py, ScramClient.processserverfirstmessage...