org.apache.kafka:kafka-clients

Maven7 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting org.apache.kafka:kafka-clientspage 1 of 1

CVE-2017-12610MEDIUMCVSS 6.8EG 6.8✓ Fixed in 0.11.0.2
2018-07-26
vulnerable: 0.11.0.0, 0.11.0.1
In Apache Kafka 0.10.0.0 to 0.10.2.1 and 0.11.0.0 to 0.11.0.1, authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication when using the built-in PLAIN or SCRAM se…
CVE-2021-38153MEDIUMCVSS 5.9EG 5.9✓ Fixed in 2.8.1
2021-09-22
vulnerable: 2.8.0
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or high…
CVE-2024-31141MEDIUMCVSS 6.5EG 6.5✓ Fixed in 3.7.1
2024-11-19
vulnerable: 2.3.0 ... 3.7.0 (38 versions)
Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in orde…
CVE-2025-27817HIGHCVSS 7.5EG 7.5✓ Fixed in 3.9.1
2025-06-10
vulnerable: 3.1.0 ... 3.9.0 (24 versions)
A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.toke…
CVE-2026-33557CRITICALCVSS 9.1EG 9.1✓ Fixed in 4.1.2
2026-04-20
vulnerable: 4.1.0, 4.1.1
A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JW…
CVE-2026-33558MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.0.1
2026-04-20
vulnerable: 4.0.0
Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. …
CVE-2026-35554HIGHCVSS 8.7EG 8.7✓ Fixed in 4.1.2
2026-04-07
vulnerable: 4.1.0, 4.1.1
A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containi…

Check whether org.apache.kafka:kafka-clients is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.apache.kafka:kafka-clients CVEs against the assets you own.

Start Free Scan →