Plateforme
kubernetes
Composant
strimzi-kafka-operator
Corrigé dans
0.47.1
CVE-2026-27133 affects the Strimzi Kafka Operator, a tool for managing Apache Kafka clusters on Kubernetes and OpenShift. This vulnerability arises from an error in how the operator handles CA certificate chains within Kafka Connect and Kafka MirrorMaker 2 operands. Specifically, when multiple CA certificates are used, each certificate is trusted individually, potentially allowing unauthorized connections to the Kafka cluster. Affected versions include 0.47.0 through 0.50.0, with a fix available in version 0.50.1.
The primary impact of CVE-2026-27133 is the potential for unauthorized access to your Apache Kafka cluster. An attacker could exploit this misconfiguration by presenting a certificate that is part of a trusted CA chain, even if it's not intended for legitimate cluster access. This could lead to data breaches, data manipulation, or denial of service. The vulnerability’s scope is limited to deployments using multiple CA certificates in the trusted certificates configuration of Kafka Connect or Kafka MirrorMaker 2 operands. This is not a direct remote code execution vulnerability, but it can be a stepping stone for further attacks if the Kafka cluster itself has other vulnerabilities.
CVE-2026-27133 was publicly disclosed on February 20, 2026. There is currently no indication of active exploitation in the wild. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept exploits are not yet available, but the vulnerability's nature suggests it could be relatively straightforward to exploit given proper access to the Kubernetes/OpenShift cluster and the ability to modify operand configurations.
Organizations utilizing Strimzi Kafka Operator for managing Kafka clusters on Kubernetes or OpenShift, particularly those employing multiple CA certificates in their Kafka Connect or Kafka MirrorMaker 2 operand configurations, are at risk. This includes those with complex certificate management setups and those who may have inherited configurations without fully understanding their implications.
• kubernetes / server:
kubectl get pods -n <namespace> -l app.strimzi.io/operator=kafka-operator -o jsonpath='{.items[*].metadata.labels.version}'• kubernetes / server:
kubectl get kafkaconnect -n <namespace> -o yaml | grep -i ca-chain• kubernetes / server:
kubectl get kafkamirror -n <namespace> -o yaml | grep -i ca-chaindisclosure
Statut de l'Exploit
EPSS
0.01% (percentile 1%)
CISA SSVC
Vecteur CVSS
The recommended mitigation for CVE-2026-27133 is to upgrade the Strimzi Kafka Operator to version 0.50.1 or later. This version corrects the faulty certificate chain handling logic. If upgrading is not immediately feasible, consider implementing stricter network policies within your Kubernetes/OpenShift cluster to restrict access to the Kafka cluster. Review your Kafka Connect and Kafka MirrorMaker 2 operand configurations to ensure that only trusted certificates are used and that the CA chain is properly validated. While not a direct fix, consider implementing mutual TLS (mTLS) authentication for all Kafka clients to add an additional layer of security.
Mettez à jour Strimzi à la version 0.50.1 ou ultérieure. Cette version corrige la validation incorrecte des certificats CA dans Kafka Connect et Kafka MirrorMaker 2, garantissant que seul le dernier certificat CA de la chaîne est considéré comme fiable.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-27133 is a medium-severity vulnerability in Strimzi Kafka Operator versions 0.47.0 through 0.50.0 where misconfigured CA chains allow unauthorized connections to Kafka clusters.
You are affected if you are running Strimzi Kafka Operator versions 0.47.0 through 0.50.0 and using multiple CA certificates in your Kafka Connect or Kafka MirrorMaker 2 operand configurations.
Upgrade Strimzi Kafka Operator to version 0.50.1 or later to resolve the vulnerability. Consider stricter network policies as a temporary workaround.
There is currently no indication of active exploitation in the wild, but the vulnerability is potentially exploitable.
Refer to the official Strimzi project website and security advisories for the latest information: https://strimzi.io/blog/
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.