CVE-2026-27133 Strimzi All CAs from CA chain will be trusted in Kafka Connect and Kafka MirrorMaker 2 target clusters

Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 to before 0.50.1, when a chain consisting of multiple CA Certificate Authority certificates is used in the trusted certificates configuration of a Kafka Connect opera...

Improper Following of a Certificate's Chain of Trust

Overview Affected versions of this package are vulnerable to Improper Following of a Certificate's Chain of Trust in the Kafka Connect and MirrorMaker 2 operands with multiple CA certificates. An attacker can gain unauthorized access by presenting a server certificate signed by any CA in the chai...

CVE-2026-27133 Strimzi All CAs from CA chain will be trusted in Kafka Connect and Kafka MirrorMaker 2 target clusters

Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 to before 0.50.1, when a chain consisting of multiple CA Certificate Authority certificates is used in the trusted certificates configuration of a Kafka Connect opera...

Improper Permission Assignment

Strimzi is vulnerable to Improper Permission Assignment. The vulnerability is due to Strimzi creating an incorrect Kubernetes Role that grants Kafka Connect and MirrorMaker 2 operands GET access to all Secrets in the namespace, allowing these components to read sensitive data they should not have...

CVE-2025-66623

A flaw was found in Strimzi. This vulnerability allows unauthorized GET access to all Kubernetes K8s Secrets that exist in the given Kubernetes K8s namespace via incorrect Kubernetes K8s Role creation. Mitigation Mitigation for this issue is either not available or the currently available options...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the process that creates Kubernetes Role bindings. An attacker can access sensitive information by executing GET requests in affected Pods using their Service Account to retrieve any Secret from the same...

CVE-2025-66623 Strimzi allows unrestricted access to all Secrets in the same Kubernetes namespace from Kafka Connect and MirrorMaker 2 operands

Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 and prior to 0.49.1, in some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands th...

CVE-2025-66623

Strimzi (Kafka on Kubernetes/OpenShift) has a vulnerability in versions 0.47.0–0.49.0 where an incorrect Kubernetes Role allows GET access to all Secrets in the target namespace for Kafka Connect and MirrorMaker 2 operands. The issue is fixed in Strimzi 0.49.1. Impact is restricted to unauthorize...

SUSE CVE-2024-36543

Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka Mirroring, potentially mirror the topics' content to his Kafka cluster via a malicious connector bypassing Kafka ACL if it exists, and potentially stea...