Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Apache Kafka (CVE-2026-35554)

Summary A vulnerability in Apache Kafka that is used by InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2026-33558 DESCRIPTION: Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and response...

Apache Kafka 安全漏洞

Apache Kafka is an open-source distributed streaming platform developed by the Apache Foundation in the United States. This platform enables the acquisition of real-time data, allowing for the creation of applications that can respond instantly to changes in data streams. There is a security...

Security Bulletin: Multiple security vulnerabilities in IBM Business Automation Manager Open Editions

Summary In addition to many updates of operating system level packages, the following security vulnerability is addressed in IBM Business Automation Manager Open Editions 8.0.9-IF0001 Vulnerability Details CVEID:CVE-2026-35554 DESCRIPTION: A race condition in the Apache Kafka Java producer client...

Security Bulletin: IBM Enterprise Build of Quarkus is affected by a vulnerability in Apache Kafka

Summary IBM Enterprise Build of Quarkus is affected by a vulnerability in Apache Kafka Vulnerability Details CVEID:CVE-2026-35554 DESCRIPTION: A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a...

Sensitive Information Disclosure

Apache Kafka is vulnerable to Sensitive Information Disclosure. The vulnerability is due to logging of sensitive request and response data at DEBUG level in the NetworkClient component, which allows an attacker with log access to obtain sensitive information...

Linux Distros Unpatched Vulnerability : CVE-2026-33557

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A possible security vulnerability has been identified in Apache Kafka. By default, the broker property sasl.oauthbearer.jwt.validator.class is set to...

EUVD-2026-23846

A possible security vulnerability has been identified in Apache Kafka. By default, the broker property sasl.oauthbearer.jwt.validator.class is set to org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator. It accepts any JWT token without validating its signature, issuer, or audience. A...

GHSA-28JG-CGG7-J4WC Apache Kafka does not validate JWT tokens in its OAUTHBEARER authentication implementation

A security vulnerability has been identified in Apache Kafka. By default, the broker property sasl.oauthbearer.jwt.validator.class is set to org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator. It accepts any JWT token without validating its signature, issuer, or audience. An attacke...

CVE-2026-33557

A possible security vulnerability has been identified in Apache Kafka. By default, the broker property sasl.oauthbearer.jwt.validator.class is set to org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator. It accepts any JWT token without validating its signature, issuer, or audience. A...

CVE-2026-33557 Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication

A possible security vulnerability has been identified in Apache Kafka. By default, the broker property sasl.oauthbearer.jwt.validator.class is set to org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator. It accepts any JWT token without validating its signature, issuer, or audience. A...

ai.pipestream:account-service (>=0.0.2 <=0.0.8), ai.pipestream:connector-admin-service (>=0.1.1 <=0.1.8) +438 more potentially affected by CVE-2026-35554 via org.apache.kafka:kafka-clients (>=4.0.0 <=4.0.1)

org.apache.kafka:kafka-clients MAVEN version =4.0.0, =0.0.2, =0.1.1, =0.2.7, =0.2.7, =0.2.7, =0.2.7, =0.1.7, =0.0.1, =0.0.1, =0.0.6, =1.2.4, =1.2.11 and more Source cves: CVE-2026-35554 Source advisory: OSV:GHSA-5QCV-4RPC-JP93...

Security Bulletin: Kafka client library upgraded to kafka-clients-3.9.1

Summary Kafka client library upgraded to kafka-clients-3.9.1. Vulnerability Details CVEID:CVE-2025-27818 DESCRIPTION: A possible security vulnerability has been identified in Apache Kafka. This requires access to a alterConfig to the cluster resource, or Kafka Connect worker, and the ability to...

org.apache.kafka: Kafka JNDI Login Module RCE Vulnerability

A flaw was found in org.apache.kafka. The JndiLoginModule within the SASL authentication mechanism allows remote code execution and denial of service when misconfigured. This flaw allows an attacker to provide a malicious JNDI URI within the Kafka broker's configuration, permitting arbitrary code...

EUVD-2020-0867

Malware in sbrugna...

EUVD-2022-3959

Malicious code in bioql PyPI...

EUVD-2022-2333

Malicious code in bioql PyPI...

EUVD-2025-17641

Malicious code in bioql PyPI...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to kafka-clients-3.9.0.jar CVE-2025-27818, CVE-2025-27817

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to kafka-clients-3.9.0.jar CVE-2025-27818, CVE-2025-27817. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-27818 DESCRIPTION: A possible security vulnerability ha...

com.alibaba.otter:canal.deployer (>=1.1.1 <=1.1.4), com.alibaba.otter:canal.kafka (=1.1.0) +105 more potentially affected by CVE-2025-27819 via org.apache.kafka:kafka_2.11 (>=1.0.0 <=1.1.1)

org.apache.kafka:kafka2.11 MAVEN version =1.0.0, =1.1.1, =1.1.1, =1.1.1, =1.1.5, =0.1.0, =6.0.1, =6.0.1, =6.0.1, =6.0.1, =6.0.1, =6.0.1, =6.0.1, =6.0.1, =6.0.21 and more Source cves: CVE-2025-27819 Source advisory: OSV:GHSA-MCWH-C9PG-XW43...

GHSA-MCWH-C9PG-XW43 Apache Kafka Deserialization of Untrusted Data vulnerability

In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs ...