{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33558", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-23T03:46:25.070Z", "datePublished": "2026-04-20T13:20:38.059Z", "dateUpdated": "2026-04-20T14:20:41.640Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Kafka", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "3.9.1", "status": "affected", "version": "0.11.0", "versionType": "semver"}, {"status": "affected", "version": "4.0.0", "versionType": "semver"}]}, {"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.kafka:kafka-clients", "product": "Apache Kafka Clients", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "3.9.1", "status": "affected", "version": "0.11.0", "versionType": "semver"}, {"status": "affected", "version": "4.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Alyssa Huang <ahuang@confluent.io>"}, {"lang": "en", "type": "finder", "value": "Luke Chen <showuon@gmail.com>"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>Information exposure vulnerability has been identified in Apache Kafka.</div><div>The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are:</div><div><ol>\n<li>AlterConfigsRequest</li>\n<li>AlterUserScramCredentialsRequest</li>\n<li>ExpireDelegationTokenRequest</li>\n<li>IncrementalAlterConfigsRequest</li>\n<li>RenewDelegationTokenRequest</li>\n<li>SaslAuthenticateRequest</li>\n<li>createDelegationTokenResponse</li>\n<li>describeDelegationTokenResponse</li>\n<li>SaslAuthenticateResponse</li>\n</ol><br>This issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. We advise the Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.&nbsp;&nbsp;<br><br></div>"}], "value": "Information exposure vulnerability has been identified in Apache Kafka.\n\nThe NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are:\n\n\n * AlterConfigsRequest\n\n * AlterUserScramCredentialsRequest\n\n * ExpireDelegationTokenRequest\n\n * IncrementalAlterConfigsRequest\n\n * RenewDelegationTokenRequest\n\n * SaslAuthenticateRequest\n\n * createDelegationTokenResponse\n\n * describeDelegationTokenResponse\n\n * SaslAuthenticateResponse\n\n\nThis issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. We advise the Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-533", "description": "CWE-533 DEPRECATED: Information Exposure Through Server Log Files", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-20T13:20:38.059Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://kafka.apache.org/cve-list"}, {"tags": ["mailing-list"], "url": "https://lists.apache.org/thread/pz5g4ky3h0k91tfd14p0dzqjp80960kl"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log Output", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/17/3"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-20T13:38:53.596Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:20:28.073658Z", "id": "CVE-2026-33558", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:20:41.640Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/17/3"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-20T13:38:53.596Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-33558", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T14:20:28.073658Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:20:38.114Z"}}], "cna": {"title": "Apache Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log Output", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Alyssa Huang <ahuang@confluent.io>"}, {"lang": "en", "type": "finder", "value": "Luke Chen <showuon@gmail.com>"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Kafka", "versions": [{"status": "affected", "version": "0.11.0", "versionType": "semver", "lessThanOrEqual": "3.9.1"}, {"status": "affected", "version": "4.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Apache Software Foundation", "product": "Apache Kafka Clients", "versions": [{"status": "affected", "version": "0.11.0", "versionType": "semver", "lessThanOrEqual": "3.9.1"}, {"status": "affected", "version": "4.0.0", "versionType": "semver"}], "packageName": "org.apache.kafka:kafka-clients", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://kafka.apache.org/cve-list", "tags": ["vendor-advisory"]}, {"url": "https://lists.apache.org/thread/pz5g4ky3h0k91tfd14p0dzqjp80960kl", "tags": ["mailing-list"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Information exposure vulnerability has been identified in Apache Kafka.\n\nThe NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are:\n\n\n * AlterConfigsRequest\n\n * AlterUserScramCredentialsRequest\n\n * ExpireDelegationTokenRequest\n\n * IncrementalAlterConfigsRequest\n\n * RenewDelegationTokenRequest\n\n * SaslAuthenticateRequest\n\n * createDelegationTokenResponse\n\n * describeDelegationTokenResponse\n\n * SaslAuthenticateResponse\n\n\nThis issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. We advise the Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.", "supportingMedia": [{"type": "text/html", "value": "<div>Information exposure vulnerability has been identified in Apache Kafka.</div><div>The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are:</div><div><ol>\n<li>AlterConfigsRequest</li>\n<li>AlterUserScramCredentialsRequest</li>\n<li>ExpireDelegationTokenRequest</li>\n<li>IncrementalAlterConfigsRequest</li>\n<li>RenewDelegationTokenRequest</li>\n<li>SaslAuthenticateRequest</li>\n<li>createDelegationTokenResponse</li>\n<li>describeDelegationTokenResponse</li>\n<li>SaslAuthenticateResponse</li>\n</ol><br>This issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. We advise the Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.&nbsp;&nbsp;<br><br></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-533", "description": "CWE-533 DEPRECATED: Information Exposure Through Server Log Files"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-20T13:20:38.059Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33558", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:20:41.640Z", "dateReserved": "2026-03-23T03:46:25.070Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-20T13:20:38.059Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Information exposure vulnerability has been identified in Apache Kafka.\n\nThe NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are:\n\n\n * AlterConfigsRequest\n\n * AlterUserScramCredentialsRequest\n\n * ExpireDelegationTokenRequest\n\n * IncrementalAlterConfigsRequest\n\n * RenewDelegationTokenRequest\n\n * SaslAuthenticateRequest\n\n * createDelegationTokenResponse\n\n * describeDelegationTokenResponse\n\n * SaslAuthenticateResponse\n\n\nThis issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. We advise the Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability."}], "id": "CVE-2026-33558", "lastModified": "2026-04-20T19:05:30.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-20T14:16:19.010", "references": [{"source": "security@apache.org", "url": "https://kafka.apache.org/cve-list"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread/pz5g4ky3h0k91tfd14p0dzqjp80960kl"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/17/3"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-533"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T16:31:12.601746+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Kafka and Apache Kafka Clients to v3.9.2, v4.0.1, or later versions to eliminate the debug logging of request and response data.", "Ensure the log level is set to INFO or higher (DEBUG disabled) in all production environments to prevent sensitive data from being logged.", "Review existing production log files for evidence of sensitive data that may have been exposed during periods when DEBUG was enabled, and take appropriate data handling actions."], "summary": {"action": "Patch", "impact": "Sensitive Information Exposure via Log Files"}, "threat_synthesis": {"affected_systems": "Apache Kafka and Apache Kafka Clients from any supported version through v3.9.1 and v4.0.0 are affected. The upgrade advisories recommend moving to v3.9.2 or v4.0.1 and newer releases.", "description_and_impact": "The NetworkClient component in Apache Kafka and its client library logs complete request and response bodies when the DEBUG log level is enabled. Because DEBUG is not the default level, a user who enables debugging can inadvertently expose highly sensitive data such as credentials, tokens, or configuration changes to anyone with access to the log files. This flaw is documented as a CWE\u2011533 Information Exposure flaw and does not involve code execution or denial of service. The vulnerability would allow an attacker to read private data only if they can access the logs or influence the logging configuration.", "risk_and_exploitability": "The exploitability of this issue requires the attacker to enable the DEBUG log level or otherwise modify the Kafka logging configuration. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. While the CVSS score is 5.3, the risk is primarily the accidental disclosure of sensitive data rather than direct exploitation of the system. The potential impact is limited to confidentiality of information exposed in logs when DEBUG is enabled."}}}}, "created": "2026-04-20T15:30:06.168723+00:00", "updated": "2026-04-20T16:45:11.945623+00:00", "vendors": []}