CVE-2026-33558 Overview
An information exposure vulnerability has been identified in Apache Kafka's NetworkClient component. When DEBUG logging is enabled, the component outputs entire request and response information to the logs, potentially exposing sensitive data including authentication credentials and security tokens. While the default log level is set to INFO, environments with DEBUG logging enabled may inadvertently leak sensitive information through log files.
Critical Impact
Sensitive authentication data including SASL credentials, delegation tokens, and SCRAM credentials may be exposed in log files when DEBUG logging is enabled.
Affected Products
- Apache Kafka versions through v3.9.1
- Apache Kafka v4.0.0 (including RC0, RC1, RC3)
- Any deployment using the listed API requests/responses with DEBUG logging enabled
Discovery Timeline
- 2026-04-20 - CVE-2026-33558 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-33558
Vulnerability Analysis
This vulnerability stems from insufficient log filtering in the NetworkClient component of Apache Kafka. When DEBUG level logging is configured, the component logs complete request and response payloads without sanitizing sensitive information. This is classified as CWE-533 (Information Exposure Through Server Log Files).
The vulnerability affects several security-critical API operations that handle authentication and authorization data. The impacted requests include AlterConfigsRequest, AlterUserScramCredentialsRequest, ExpireDelegationTokenRequest, IncrementalAlterConfigsRequest, RenewDelegationTokenRequest, and SaslAuthenticateRequest. The impacted responses include createDelegationTokenResponse, describeDelegationTokenResponse, and SaslAuthenticateResponse.
Root Cause
The NetworkClient component lacks proper data sanitization or masking when logging request and response objects at the DEBUG level. Security-sensitive fields containing credentials, tokens, and configuration data are written to logs in cleartext, creating an information disclosure risk in environments where log files may be accessed by unauthorized parties or aggregated into centralized logging systems.
Attack Vector
This vulnerability is exploitable through network-accessible log files or centralized logging infrastructure. An attacker with access to Kafka broker logs or log aggregation systems could extract sensitive authentication credentials, delegation tokens, and SCRAM credentials from DEBUG-level log entries. The attack requires either direct access to the log files on the Kafka broker or access to any system that collects and stores these logs.
The vulnerability does not require authentication to exploit once log access is obtained, as the sensitive data is exposed in plaintext within the log entries.
Detection Methods for CVE-2026-33558
Indicators of Compromise
- Review Kafka broker logs for DEBUG-level entries containing SaslAuthenticateRequest or SaslAuthenticateResponse payloads
- Search logs for delegation token-related requests showing token values in cleartext
- Check log aggregation systems for any Kafka DEBUG logs containing credential or configuration data
- Audit log file permissions and access history for unauthorized reads
Detection Strategies
- Implement log scanning rules to detect sensitive data patterns in Kafka DEBUG logs
- Monitor log configuration changes that enable DEBUG level on production brokers
- Use SIEM rules to alert on potential credential exposure in log streams
- Deploy file integrity monitoring on Kafka log directories
Monitoring Recommendations
- Configure alerts for any log level changes from INFO to DEBUG on Kafka brokers
- Monitor access patterns to Kafka log files and directories
- Implement centralized log auditing to detect unauthorized log access
- Review log retention policies to minimize exposure window
How to Mitigate CVE-2026-33558
Immediate Actions Required
- Verify Kafka broker log levels are set to INFO or higher (not DEBUG) in production environments
- Audit existing log files for potential sensitive data exposure
- Rotate any credentials that may have been exposed in DEBUG logs
- Review log access permissions and restrict access to authorized personnel only
Patch Information
Apache has released patched versions that address this vulnerability. Users should upgrade to Apache Kafka v3.9.2, v4.0.1, or later versions. Patches are available through the official Apache Kafka distribution channels. For more information, see the Apache Kafka CVE List and the Apache Mailing List Discussion.
Workarounds
- Ensure log level is set to INFO or above (never DEBUG in production)
- Implement log redaction filters to mask sensitive data patterns before writing to logs
- Restrict file system permissions on Kafka log directories
- Review and secure log forwarding and aggregation pipelines
# Configuration example
# Verify and set appropriate log level in server.properties or log4j.properties
# Ensure the following is NOT set in production:
# log4j.logger.org.apache.kafka.clients.NetworkClient=DEBUG
# Set safe log level for NetworkClient
log4j.logger.org.apache.kafka.clients.NetworkClient=INFO
# Restrict log file permissions
chmod 600 /var/log/kafka/*.log
chown kafka:kafka /var/log/kafka/*.log
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
