Improper Validation of Specified Index, Position, or Offset in Input

CVE-2026-33557

High

9.1/10

Summary

A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` isset to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating itssignature, issuer, or audience. An attacker can generate a JWTtoken from any issuer with the `preferred_username` set to any user, and the broker will accept it. We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-1285 - Improper Validation of Specified Index, Position, or Offset in Input

The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.

References

Advisory Timeline

Published Apr 20, 2026

Improper Validation of Specified Index, Position, or Offset in Input

CVE-2026-33557

Summary

CWE-1285 - Improper Validation of Specified Index, Position, or Offset in Input

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS