Apache kafka

This hub aggregates every CVE we track for Apache kafka, a product in the databases space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Apache kafka.

• CVE-2026-41115Apache Kafka: Improper Authorization in CONSUMER_GROUP_DESCRIBE API4.3Jun 2, 2026
• CVE-2026-33557Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication9.1Apr 20, 2026
• CVE-2026-33558Apache Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log Output5.3Apr 20, 2026
• CVE-2026-35554Apache Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool Race Condition8.7Apr 7, 2026
• CVE-2025-27817Apache Kafka Client: Arbitrary file read and SSRF vulnerability7.5Jun 10, 2025
• CVE-2025-27819Apache Kafka: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration7.5Jun 10, 2025
• CVE-2025-27818Apache Kafka: Possible RCE attack via SASL JAAS LdapLoginModule configuration8.8Jun 10, 2025
• CVE-2024-56128Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption5.3Dec 18, 2024
• CVE-2024-31141Apache Kafka Clients: Privilege escalation to filesystem read-access via automatic ConfigProvider6.5Nov 19, 2024
• CVE-2024-27309Apache Kafka: Potential incorrect access control during migration from ZK mode to KRaft mode7.4Apr 12, 2024
• CVE-2023-34040Java Deserialization vulnerability in Spring-Kafka When Improperly Configured5.3Aug 24, 2023
• CVE-2022-34917Unauthenticated clients may cause OutOfMemoryError on Apache Kafka Brokers7.5Sep 20, 2022
• CVE-2021-38153Timing Attack Vulnerability for Apache Kafka Connect and Clients5.9Sep 22, 2021
• CVE-2020-27218In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clien...4.8Nov 28, 2020
• CVE-2019-12399When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster ...7.5Jan 14, 2020