What is GHSA-p5r3-m3w4-4fj6?

GHSA-p5r3-m3w4-4fj6 is a security advisory published by GitHub Security Advisories with Medium severity. An improper authorization vulnerability has been identified in Apache Kafka. The implementation...

Which CVE IDs does GHSA-p5r3-m3w4-4fj6 cover?

GHSA-p5r3-m3w4-4fj6 covers the following CVE IDs: CVE-2026-41115. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-p5r3-m3w4-4fj6?

GHSA-p5r3-m3w4-4fj6 has a CVSS v3 base score of 4.3, published by GitHub Security Advisories.

GHSA-p5r3-m3w4-4fj6MediumCVSS 4.3

An improper authorization vulnerability has been identified in Apache Kafka. The implementation...

Vendor

GitHub Security Advisories

Published

June 2, 2026

Last Modified

June 2, 2026

🔗 CVE IDs covered (1)

CVE-2026-41115 →

📋 Description

An improper authorization vulnerability has been identified in Apache Kafka.

The implementation of the CONSUMER_GROUP_DESCRIBE (69) API validates the DESCRIBE operation on the GROUP resource instead of the READ operation that documented in the official kafka documentation and the KIP-848. This discrepancy can result in misconfigured Access Control Lists (ACLs) and unintended security postures, like granting READ permission to users who should not be able to join/sync groups, or allowing users without READ permission (but with DESCRIBE permission) to access sensitive group metadata.

The correct permission for CONSUMER_GROUP_DESCRIBE API is DESCRIBE GROUP so the current implementation is correct. However, the kafka documentation as well as the KIP-848 will be updated to reflect the correct permission. We advise the Kafka users to review existing group ACLs to ensure the principle of least privilege.

🔗 CVE IDs covered (1)

📋 Description

🔗 References (3)