CRITICAL9.1CVE-2026-33557Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication >= 4.1.0, < 4.1.2
HIGH8.8CVE-2025-27818Apache Kafka: Possible RCE attack via SASL JAAS LdapLoginModule configuration >= 2.3.0, < 3.9.1
HIGH8.8CVE-2025-27819Apache Kafka: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration >= 2.0.0, < 3.4.1
HIGH7.5Apache Kafka Client: Arbitrary file read and SSRF vulnerability
>= 3.1.0, < 3.9.1
HIGH7.5Unauthenticated clients may cause OutOfMemoryError on Apache Kafka Brokers
>= 2.8.0, < 2.8.2, >= 3.0.0, < 3.0.2, >= 3.1.0, < 3.1.2, >= 3.2.0, < 3.2.3
MEDIUM6.8Apache Kafka: Potential incorrect access control during migration from ZK mode to KRaft mode
>= 3.5.0, < 3.5.2, >= 3.6.0, < 3.6.2
MEDIUM5.9Timing Attack Vulnerability for Apache Kafka Connect and Clients
>= 2.0.0, < 2.6.3, >= 2.7.0, < 2.7.2, >= 2.8.0, < 2.8.1
MEDIUM5.3Apache Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log Output
>= 0.11.0, < 3.9.2, >= 4.0.0, < 4.0.1
MEDIUM5.3Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption
>= 3.8.0, < 3.8.1, >= 0.10.2, < 3.7.2
MEDIUM4.8jetty9 - security update
>= 2.7.0, < 2.7.1
MEDIUM4.3Apache Kafka: Improper Authorization in CONSUMER_GROUP_DESCRIBE API
>= 4.0.0, <= 4.3.0