Skip to content
Verified reproduction

CVE-2026-33557: Apache Kafka SASL/OAUTHBEARER accepts unvalidated JWTs

CVE-2026-33557 is verified against Apache Kafka · maven affected versions: 4.1.0 through 4.1.1 vulnerability class: Auth Bypass This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00281.

REPRO-2026-00281 Apache Kafka · maven Auth Bypass Variant found Jul 11, 2026 .txt
Severity CRITICAL
Confidence HIGH
Reproduced in 44m 25s
Tool calls 414
Spend $10.59
Affected 4.1.0 through 4.1.1
$ pruva-verify REPRO-2026-00281
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00281/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

Suspected authentication bypass in Apache Kafka broker-side SASL/OAUTHBEARER token acceptance path. The broker appears to accept historical JWT session tokens indefinitely because the unauthenticated token acceptance path does not enforce the JWT exp claim on replay. An attacker holding any previously issued Kafka session JWT can replay it after expiration and still authenticate successfully. This is distinct from generic token validation issues because the claim failure is specifically in exp enforcement on the broker side. Investigate broker-side SASL/OAUTHBEARER handling for expired-but-signed tokens, the exact validation path used during initial connection establishment, and whether the default validator or an alternate callback path bypasses exp checking. Scope: latest Apache Kafka release line unless a patched release already covers this behavior.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

bundle/artifact_promotion_manifest.json12.3 KB
bundle/artifact_promotion_report.json12.4 KB
bundle/vuln_variant/source_identity.json0.8 KB
bundle/vuln_variant/root_cause_equivalence.json1.4 KB
bundle/repro/reproduction_steps.sh26.2 KB
bundle/repro/rca_report.md6.1 KB
bundle/logs/evidence.log7.7 KB
bundle/logs/broker_secured.log83.5 KB
bundle/repro/runtime_manifest.json1.0 KB
bundle/repro/validation_verdict.json0.8 KB
bundle/logs/reproduction_steps.log7.3 KB
bundle/logs/raw_vulnerable_expired.json0.9 KB
bundle/logs/raw_vulnerable_valid.json0.9 KB
bundle/logs/raw_fixed_expired.json1.3 KB
bundle/logs/raw_fixed_valid.json0.9 KB
bundle/logs/broker_vulnerable.log71.4 KB
bundle/logs/broker_fixed.log75.4 KB
bundle/logs/mock_oauth_server.log5.6 KB
bundle/logs/javap_defaultjwtvalidator_4.1.0.txt4.9 KB
bundle/logs/javap_defaultjwtvalidator_4.1.2.txt6.0 KB
bundle/vuln_variant/reproduction_steps.sh28.3 KB
bundle/vuln_variant/rca_report.md12.4 KB
bundle/vuln_variant/patch_analysis.md9.7 KB
bundle/vuln_variant/variant_manifest.json4.6 KB
bundle/vuln_variant/validation_verdict.json2.2 KB
bundle/logs/vuln_variant/variant_evidence.log16.9 KB
bundle/vuln_variant/runtime_manifest.json1.2 KB
bundle/logs/vuln_variant/reproduction_steps.log12.6 KB
bundle/logs/vuln_variant/fixed_version.txt0.4 KB
bundle/logs/vuln_variant/raw_vulnerable_wrong_issuer.json0.9 KB
bundle/logs/vuln_variant/raw_vulnerable_wrong_audience.json0.9 KB
bundle/logs/vuln_variant/raw_vulnerable_tampered_signature.json0.9 KB
bundle/logs/vuln_variant/raw_fixed_wrong_issuer.json1.3 KB
bundle/logs/vuln_variant/raw_fixed_wrong_audience.json1.3 KB
bundle/logs/vuln_variant/raw_fixed_tampered_signature.json1.3 KB
bundle/logs/vuln_variant/broker_vulnerable.log71.6 KB
bundle/logs/vuln_variant/broker_fixed.log83.0 KB
bundle/logs/vuln_variant/mock_oauth_server.log4.8 KB