CVE-2026-33558
Information Exposure vulnerability in kafka-clients (Maven)
What is CVE-2026-33558 About?
This vulnerability in Apache Kafka leads to information exposure if the DEBUG log level is enabled. Sensitive information from requests and responses can be outputted into the logs. This issue can be easily exploited by an attacker with access to the Kafka logs.
Affected Software
- org.apache.kafka:kafka-clients
- >=0.11.0, <3.9.2
- >=4.0.0, <4.0.1
Technical Details
The NetworkClient component in Apache Kafka outputs entire request and response information into the DEBUG log level. While the default log level is INFO, if an administrator configures the log level to DEBUG, then sensitive data contained within specific requests and responses will be written to the Kafka logs without redaction. The affected requests and responses include AlterConfigsRequest, AlterUserScramCredentialsRequest, ExpireDelegationTokenRequest, IncrementalAlterConfigsRequest, RenewDelegationTokenRequest, SaslAuthenticateRequest, createDelegationTokenResponse, describeDelegationTokenResponse, and SaslAuthenticateResponse. This means credentials, configuration changes, or token details could be exposed in plain text within the logs, affecting Kafka versions up to 3.9.1 and 4.0.0.
What is the Impact of CVE-2026-33558?
Successful exploitation may allow attackers to gain access to sensitive information such as credentials, configuration details, or other private data by reading the verbose logs. This could lead to further compromise of the Kafka cluster or other connected systems.
What is the Exploitability of CVE-2026-33558?
Exploitation complexity is low, as it primarily relies on a misconfiguration of the Kafka server's logging level. Prerequisites involve the Kafka server's log level being set to DEBUG. No specific authentication or privilege is required to trigger the logging of sensitive information, but access to the Kafka server's log files is necessary to observe the exposed data. This is a local exploit in the sense that an attacker needs access to the server's file system or log aggregation system where the Kafka logs reside. There are no special conditions beyond the DEBUG log level being enabled. The main risk factor is an operational error where verbose logging for sensitive information is inadvertently turned on in a production or accessible environment.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-33558?
Available Upgrade Options
- org.apache.kafka:kafka-clients
- >=0.11.0, <3.9.2 → Upgrade to 3.9.2
- org.apache.kafka:kafka-clients
- >=4.0.0, <4.0.1 → Upgrade to 4.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2026-33558
- https://lists.apache.org/thread/pz5g4ky3h0k91tfd14p0dzqjp80960kl
- https://osv.dev/vulnerability/GHSA-wf66-mphr-4c4r
- http://www.openwall.com/lists/oss-security/2026/04/17/3
- http://www.openwall.com/lists/oss-security/2026/04/17/3
- https://github.com/apache/kafka
- https://kafka.apache.org/cve-list
- https://kafka.apache.org/cve-list
- https://lists.apache.org/thread/pz5g4ky3h0k91tfd14p0dzqjp80960kl
What are Similar Vulnerabilities to CVE-2026-33558?
Similar Vulnerabilities: CVE-2022-23307 , CVE-2021-44228 , CVE-2023-24998 , CVE-2020-0081 , CVE-2023-34988
