CVE-2026-33557: Apache Kafka SASL/OAUTHBEARER accepts unvalidated JWTs
CVE-2026-33557 is verified against Apache Kafka · maven affected versions: 4.1.0 through 4.1.1 vulnerability class: Auth Bypass This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00281.
pruva-verify REPRO-2026-00281 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00281/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Suspected authentication bypass in Apache Kafka broker-side SASL/OAUTHBEARER token acceptance path. The broker appears to accept historical JWT session tokens indefinitely because the unauthenticated token acceptance path does not enforce the JWT exp claim on replay. An attacker holding any previously issued Kafka session JWT can replay it after expiration and still authenticate successfully. This is distinct from generic token validation issues because the claim failure is specifically in exp enforcement on the broker side. Investigate broker-side SASL/OAUTHBEARER handling for expired-but-signed tokens, the exact validation path used during initial connection establishment, and whether the default validator or an alternate callback path bypasses exp checking. Scope: latest Apache Kafka release line unless a patched release already covers this behavior.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.