Main Vulnerability Database Vulnerabilities #VU133398

Incorrect authorization in Apache Kafka - CVE-2026-41115

Published: June 4, 2026

Vulnerability identifier: #VU133398

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-41115

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache Kafka

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive group metadata.

The vulnerability exists due to improper access control in the CONSUMER_GROUP_DESCRIBE API when handling consumer group describe requests. A remote user can send a request to the API with DESCRIBE permission on the GROUP resource to disclose sensitive group metadata.

The issue stems from a discrepancy between the documented permission model and the implemented authorization check, which can lead to misconfigured ACLs.

How to mitigate CVE-2026-41115

Vendor advises the Kafka users to review existing group ACLs to ensure the principle of least privilege. The documentation will also be update to reflect this case.

Note, there will be no separate release to address this issue.

Sources

https://lists.apache.org/api/email.lua?id=z921ro2f9mcv5v5ktykfrlrs0jgokyvg

Incorrect authorization in Apache Kafka - CVE-2026-41115

Detailed vulnerability description

How to mitigate CVE-2026-41115

Sources

Please verify you're human