CVE-2026-45080 Overview
CVE-2026-45080 is an information disclosure vulnerability in Klaw, a self-service Apache Kafka Topic Management and Governance portal. The flaw stems from improper access control [CWE-200] that allows unauthorized disclosure of password hashes. All versions prior to 2.10.4 are affected. The maintainers, Aiven-Open, have addressed the issue in version 2.10.4.
The vulnerability is exploitable over the network without authentication or user interaction, but its impact is limited to confidentiality of low-value data. Disclosed password hashes can be subjected to offline cracking attacks, potentially leading to credential compromise across the Kafka governance environment.
Critical Impact
Unauthenticated network attackers can retrieve password hashes from vulnerable Klaw instances, enabling offline credential cracking against Kafka management accounts.
Affected Products
- Aiven-Open Klaw versions prior to 2.10.4
- Self-hosted Klaw deployments managing Apache Kafka topics and governance
- Klaw instances exposed to untrusted network segments
Discovery Timeline
- 2026-06-02 - CVE-2026-45080 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-45080
Vulnerability Analysis
Klaw provides a web portal for managing Apache Kafka topics, schemas, ACLs, and connectors. The application stores user credentials as password hashes within its backend datastore. Prior to version 2.10.4, an access control flaw allowed these hashes to be returned through application responses without enforcing proper authorization checks.
The issue is classified under [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor). Network-adjacent attackers can interact with the vulnerable Klaw endpoint and obtain hashed credentials belonging to other users. The impact is confined to confidentiality, with no direct integrity or availability consequences. However, password hashes provide a foothold for offline brute-force or dictionary attacks against the hashing algorithm in use.
Root Cause
The root cause is missing or insufficient authorization enforcement on a code path that serializes user objects. The application returned fields containing password hash material to requesters who should not have access to that data. This represents a classic broken access control issue where server-side filtering of sensitive fields was not applied before responses were emitted.
Attack Vector
An attacker reachable over the network sends crafted requests to an affected Klaw endpoint. No prior authentication or user interaction is required to trigger the disclosure. Retrieved hashes can then be moved offline and processed with tools such as Hashcat or John the Ripper. Cracked passwords may be reused against the Klaw portal itself, against connected Kafka clusters, or against other systems if users have reused credentials.
The vulnerability mechanism is described in the GitHub Security Advisory GHSA-v7m7-fr8v-hpx2. No public proof-of-concept exploit code has been published at the time of disclosure.
Detection Methods for CVE-2026-45080
Indicators of Compromise
- Unusual or high-volume HTTP requests to Klaw user, profile, or administrative API endpoints from unexpected source addresses
- Application responses with abnormally large payloads from user-related endpoints that may include hash fields
- Authentication anomalies on Klaw accounts following reconnaissance traffic, such as logins from new geolocations or successful logins after offline cracking windows
Detection Strategies
- Inventory all Klaw deployments and compare installed versions against 2.10.4 to identify exposed instances
- Inspect reverse proxy and application logs for unauthenticated access to user-data endpoints
- Correlate Klaw access logs with downstream Kafka authentication events to detect credential reuse
Monitoring Recommendations
- Forward Klaw application and access logs to a centralized logging or SIEM platform for retention and analysis
- Alert on repeated requests to user-listing or profile endpoints from a single source
- Monitor Kafka broker authentication logs for failed and successful logins that follow Klaw reconnaissance patterns
How to Mitigate CVE-2026-45080
Immediate Actions Required
- Upgrade all Klaw instances to version 2.10.4 or later as published in the GitHub Release v2.10.4
- Force a password reset for all Klaw users after upgrading, assuming hashes may already be exposed
- Restrict network access to the Klaw portal to trusted administrative networks or via VPN
- Audit Kafka cluster accounts and rotate credentials that may have been reused with Klaw
Patch Information
The maintainers patched the access control flaw in Klaw 2.10.4. Release notes and source changes are available in the GitHub Release v2.10.4. The fix removes password hash material from affected response paths and enforces authorization on user data endpoints.
Workarounds
- Place Klaw behind a reverse proxy that enforces authentication and IP allow-listing until the upgrade is applied
- Disable or block external exposure of user-related API endpoints at the network layer if upgrading is not immediately feasible
- Rotate Klaw user passwords and enforce strong password policies to reduce the value of any leaked hashes
# Verify the running Klaw version and pull the patched release
docker pull aivenoy/klaw-core:2.10.4
docker pull aivenoy/klaw-coral:2.10.4
# Example network restriction with iptables to limit Klaw to a management subnet
iptables -A INPUT -p tcp --dport 9097 -s 10.0.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 9097 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
