Apache Kafka: Improper Authorization in CONSUMER_GROUP_DESCRIBE API
Summary
| CVE | CVE-2026-41115 |
|---|---|
| State | PUBLISHED |
| Assigner | apache |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-02 10:16:25 UTC |
| Updated | 2026-06-02 10:16:25 UTC |
| Description | An improper authorization vulnerability has been identified in Apache Kafka. The implementation of the CONSUMER_GROUP_DESCRIBE (69) API validates the DESCRIBE operation on the GROUP resource instead of the READ operation that documented in the official kafka documentation and the KIP-848. This discrepancy can result in misconfigured Access Control Lists (ACLs) and unintended security postures, like granting READ permission to users who should not be able to join/sync groups, or allowing users without READ permission (but with DESCRIBE permission) to access sensitive group metadata. The correct permission for CONSUMER_GROUP_DESCRIBE API is DESCRIBE GROUP so the current implementation is correct. However, the kafka documentation as well as the KIP-848 will be updated to reflect the correct permission. We advise the Kafka users to review existing group ACLs to ensure the principle of least privilege. |
Risk And Classification
Problem Types: CWE-285 | CWE-285 CWE-285 Improper Authorization
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Apache Software Foundation | Apache Kafka | affected 4.0.0 4.3.0 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| kafka.apache.org/cve-list | [email protected] | kafka.apache.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Luke Chen <[email protected]> (en)
There are currently no legacy QID mappings associated with this CVE.