Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-25999

CVE-2026-25999: Klaw Auth Bypass Vulnerability

CVE-2026-25999 is an authentication bypass vulnerability in Klaw that allows attackers to reset or delete tenant metadata by exploiting improper access controls. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-25999 Overview

CVE-2026-25999 is an improper access control vulnerability affecting Klaw, a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.2, the vulnerability allows unauthorized users to trigger a reset or deletion of metadata for any tenant through the /resetMemoryCache endpoint. By sending a crafted request to this endpoint, an attacker can clear cached configurations, environments, and cluster data, leading to significant service disruption and potential data integrity issues.

Critical Impact

Unauthorized access to the /resetMemoryCache endpoint enables attackers to wipe tenant metadata, cached configurations, and cluster information, potentially causing widespread service disruption across multi-tenant Kafka environments.

Affected Products

  • Klaw versions prior to 2.10.2
  • Self-hosted Klaw Apache Kafka Management deployments
  • Multi-tenant Klaw environments

Discovery Timeline

  • 2026-02-11 - CVE-2026-25999 published to NVD
  • 2026-02-12 - Last updated in NVD database

Technical Details for CVE-2026-25999

Vulnerability Analysis

This vulnerability stems from CWE-285 (Improper Authorization), where the /resetMemoryCache endpoint lacks proper access control verification before executing sensitive operations. The endpoint is intended for internal service maintenance but was exposed without adequate authentication or authorization checks. An attacker with low-level privileges (or potentially even unauthenticated access depending on deployment configuration) can exploit this flaw to clear critical cached data for any tenant in the system.

The attack can be executed remotely over the network without user interaction, making it particularly dangerous in internet-facing or shared-infrastructure deployments. While the vulnerability does not directly expose confidential data, the ability to arbitrarily delete cached configurations and metadata poses significant integrity and availability risks.

Root Cause

The root cause is insufficient authorization enforcement on the /resetMemoryCache/** endpoint. The security configuration failed to restrict access to this administrative endpoint, allowing any authenticated user to invoke cache reset operations that should be limited to system administrators or internal service calls only. The endpoint was designed for internal service communication but lacked the necessary access control boundaries.

Attack Vector

The attack vector is network-based, requiring only low privileges to exploit. An attacker can craft HTTP requests targeting the /resetMemoryCache endpoint with parameters specifying the target tenant. Upon receiving such a request, the vulnerable Klaw instance processes it without verifying whether the requester has authorization to perform cache operations on the specified tenant, resulting in the deletion of cached configurations, environment settings, and cluster data.

The security patch addresses this by properly configuring the endpoint within the security framework. Below is the relevant patch code:

java
http.csrf(
        csrf -> {
          csrf.ignoringRequestMatchers("/logout");
          csrf.ignoringRequestMatchers("/resetMemoryCache/**"); // Internal service endpoint
          csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
          csrf.csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler());
        })

Source: GitHub Commit 617ed96

Detection Methods for CVE-2026-25999

Indicators of Compromise

  • Unexpected HTTP requests to /resetMemoryCache or /resetMemoryCache/** endpoints from unauthorized sources
  • Sudden loss of cached configuration data or environment settings without administrator action
  • Multiple tenants reporting configuration resets or missing cluster metadata simultaneously
  • Anomalous authentication patterns followed by cache reset API calls

Detection Strategies

  • Monitor web application logs for requests to the /resetMemoryCache endpoint, especially from non-administrative users or unexpected source IPs
  • Implement alerting on configuration changes or cache invalidation events that occur outside of scheduled maintenance windows
  • Deploy web application firewall (WAF) rules to flag or block requests to sensitive administrative endpoints from unauthorized sources
  • Correlate authentication logs with API access patterns to identify privilege abuse attempts

Monitoring Recommendations

  • Enable detailed access logging for all Klaw administrative endpoints
  • Configure SIEM rules to alert on repeated access attempts to /resetMemoryCache from the same user or IP
  • Monitor tenant metadata integrity through regular consistency checks
  • Implement real-time alerting for any cache reset operations outside of defined maintenance procedures

How to Mitigate CVE-2026-25999

Immediate Actions Required

  • Upgrade Klaw to version 2.10.2 or later immediately
  • Audit access logs for any suspicious requests to the /resetMemoryCache endpoint prior to patching
  • Review and restrict network access to Klaw administrative endpoints using firewall rules or network segmentation
  • Verify tenant metadata integrity and restore from backups if tampering is detected

Patch Information

The vulnerability is fixed in Klaw version 2.10.2. Organizations should upgrade to this version or later to remediate the vulnerability. The fix implements proper access control on the /resetMemoryCache endpoint to ensure only authorized internal service calls can invoke cache reset operations.

Workarounds

  • If immediate patching is not possible, restrict access to the /resetMemoryCache/** endpoint at the network or reverse proxy level
  • Implement IP allowlisting to permit only trusted internal service IPs to access administrative endpoints
  • Deploy a web application firewall rule to block external requests to the vulnerable endpoint
  • Consider temporarily disabling the cache reset functionality if operationally feasible until the patch can be applied
bash
# Example: Block access to vulnerable endpoint using nginx
location /resetMemoryCache {
    allow 127.0.0.1;
    allow 10.0.0.0/8;  # Internal network range
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne