Main Vulnerability Database Vulnerabilities #VU132004

Race condition in Apache Kafka - CVE-2026-35554

Published: May 21, 2026

Vulnerability identifier: #VU132004

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-35554

CWE-ID: CWE-362

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache Kafka

Detailed vulnerability description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. A remote attacker can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.

How to mitigate CVE-2026-35554

Install updates from vendor's website.

Sources

https://issues.apache.org/jira/browse/KAFKA-19012
https://lists.apache.org/thread/f07x7j8ovyqhjd1to25jsnqbm6wj01d6
http://www.openwall.com/lists/oss-security/2026/04/07/6

Race condition in Apache Kafka - CVE-2026-35554

Detailed vulnerability description

How to mitigate CVE-2026-35554

Sources

Please verify you're human