Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN574 _____________________________________________________________________ DATE : 02/06/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Kafka versions 4.0.0 up to and including 1.1.7. ===================================================================== https://lists.apache.org/thread/ql50wrhv4skfh4ykq4k3k1qxo2j1827p _____________________________________________________________________ CVE-2026-41115: Apache Kafka: Improper Authorization in CONSUMER_GROUP_DESCRIBE API Severity: moderate Affected versions: - Apache Kafka 4.0.0 through 4.3.0 Description: An improper authorization vulnerability has been identified in Apache Kafka. The implementation of the CONSUMER_GROUP_DESCRIBE (69) API validates the DESCRIBE operation on the GROUP resource instead of the READ operation that documented in the official kafka documentation and the KIP-848. This discrepancy can result in misconfigured Access Control Lists (ACLs) and unintended security postures, like granting READ permission to users who should not be able to join/sync groups, or allowing users without READ permission (but with DESCRIBE permission) to access sensitive group metadata. The correct permission for CONSUMER_GROUP_DESCRIBE API is DESCRIBE GROUP so the current implementation is correct. However, the kafka documentation as well as the KIP-848 will be updated to reflect the correct permission. We advise the Kafka users to review existing group ACLs to ensure the principle of least privilege. Credit: Luke Chen (finder) References: https://kafka.apache.org/cve-list https://kafka.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-41115 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================