CVE-2026-33558
April 20, 2026, 7:05 p.m.
5.3
Medium
Description
Information exposure vulnerability has been identified in Apache Kafka.
The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are:
* AlterConfigsRequest
* AlterUserScramCredentialsRequest
* ExpireDelegationTokenRequest
* IncrementalAlterConfigsRequest
* RenewDelegationTokenRequest
* SaslAuthenticateRequest
* createDelegationTokenResponse
* describeDelegationTokenResponse
* SaslAuthenticateResponse
This issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. We advise the Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.
Product(s) Impacted
| Vendor | Product | Versions |
|---|---|---|
| Apache |
|
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
CWE-533
DEPRECATED: Information Exposure Through Server Log Files
This entry has been deprecated because its abstraction was too low-level. See CWE-532.
*CPE(s)
Affected systems and software identified for this CVE.
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | apache | kafka | <3.9.2 | / | / | / | / | / | / | / |
| a | apache | kafka | 3.9.0 | / | / | / | / | / | / | / |
| a | apache | kafka | 3.9.1 | / | / | / | / | / | / | / |
| a | apache | kafka | 4.0.0 | / | / | / | / | / | / | / |
| a | apache | kafka | 4.0.1 | / | / | / | / | / | / | / |
Tags
CVSS Score
CVSS Data - 3.1
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: NONE
- Scope: UNCHANGED
- Confidentiality Impact: LOW
- Integrity Impact: NONE
- Availability Impact: NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Timeline
Published: April 20, 2026, 2:16 p.m.
Last Modified: April 20, 2026, 7:05 p.m.
Last Modified: April 20, 2026, 7:05 p.m.
Status : Undergoing Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.