Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33558

CVE-2026-33558: Apache Kafka Information Disclosure Flaw

CVE-2026-33558 is an information disclosure vulnerability in Apache Kafka that exposes sensitive data through DEBUG-level logs. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-33558 Overview

An information exposure vulnerability has been identified in Apache Kafka's NetworkClient component. When DEBUG logging is enabled, the component outputs entire request and response information to the logs, potentially exposing sensitive data including authentication credentials and security tokens. While the default log level is set to INFO, environments with DEBUG logging enabled may inadvertently leak sensitive information through log files.

Critical Impact

Sensitive authentication data including SASL credentials, delegation tokens, and SCRAM credentials may be exposed in log files when DEBUG logging is enabled.

Affected Products

  • Apache Kafka versions through v3.9.1
  • Apache Kafka v4.0.0 (including RC0, RC1, RC3)
  • Any deployment using the listed API requests/responses with DEBUG logging enabled

Discovery Timeline

  • 2026-04-20 - CVE-2026-33558 published to NVD
  • 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-33558

Vulnerability Analysis

This vulnerability stems from insufficient log filtering in the NetworkClient component of Apache Kafka. When DEBUG level logging is configured, the component logs complete request and response payloads without sanitizing sensitive information. This is classified as CWE-533 (Information Exposure Through Server Log Files).

The vulnerability affects several security-critical API operations that handle authentication and authorization data. The impacted requests include AlterConfigsRequest, AlterUserScramCredentialsRequest, ExpireDelegationTokenRequest, IncrementalAlterConfigsRequest, RenewDelegationTokenRequest, and SaslAuthenticateRequest. The impacted responses include createDelegationTokenResponse, describeDelegationTokenResponse, and SaslAuthenticateResponse.

Root Cause

The NetworkClient component lacks proper data sanitization or masking when logging request and response objects at the DEBUG level. Security-sensitive fields containing credentials, tokens, and configuration data are written to logs in cleartext, creating an information disclosure risk in environments where log files may be accessed by unauthorized parties or aggregated into centralized logging systems.

Attack Vector

This vulnerability is exploitable through network-accessible log files or centralized logging infrastructure. An attacker with access to Kafka broker logs or log aggregation systems could extract sensitive authentication credentials, delegation tokens, and SCRAM credentials from DEBUG-level log entries. The attack requires either direct access to the log files on the Kafka broker or access to any system that collects and stores these logs.

The vulnerability does not require authentication to exploit once log access is obtained, as the sensitive data is exposed in plaintext within the log entries.

Detection Methods for CVE-2026-33558

Indicators of Compromise

  • Review Kafka broker logs for DEBUG-level entries containing SaslAuthenticateRequest or SaslAuthenticateResponse payloads
  • Search logs for delegation token-related requests showing token values in cleartext
  • Check log aggregation systems for any Kafka DEBUG logs containing credential or configuration data
  • Audit log file permissions and access history for unauthorized reads

Detection Strategies

  • Implement log scanning rules to detect sensitive data patterns in Kafka DEBUG logs
  • Monitor log configuration changes that enable DEBUG level on production brokers
  • Use SIEM rules to alert on potential credential exposure in log streams
  • Deploy file integrity monitoring on Kafka log directories

Monitoring Recommendations

  • Configure alerts for any log level changes from INFO to DEBUG on Kafka brokers
  • Monitor access patterns to Kafka log files and directories
  • Implement centralized log auditing to detect unauthorized log access
  • Review log retention policies to minimize exposure window

How to Mitigate CVE-2026-33558

Immediate Actions Required

  • Verify Kafka broker log levels are set to INFO or higher (not DEBUG) in production environments
  • Audit existing log files for potential sensitive data exposure
  • Rotate any credentials that may have been exposed in DEBUG logs
  • Review log access permissions and restrict access to authorized personnel only

Patch Information

Apache has released patched versions that address this vulnerability. Users should upgrade to Apache Kafka v3.9.2, v4.0.1, or later versions. Patches are available through the official Apache Kafka distribution channels. For more information, see the Apache Kafka CVE List and the Apache Mailing List Discussion.

Workarounds

  • Ensure log level is set to INFO or above (never DEBUG in production)
  • Implement log redaction filters to mask sensitive data patterns before writing to logs
  • Restrict file system permissions on Kafka log directories
  • Review and secure log forwarding and aggregation pipelines
bash
# Configuration example
# Verify and set appropriate log level in server.properties or log4j.properties
# Ensure the following is NOT set in production:
# log4j.logger.org.apache.kafka.clients.NetworkClient=DEBUG

# Set safe log level for NetworkClient
log4j.logger.org.apache.kafka.clients.NetworkClient=INFO

# Restrict log file permissions
chmod 600 /var/log/kafka/*.log
chown kafka:kafka /var/log/kafka/*.log

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne