CVE-2026-23529 – The Kafka Connect BigQuery Connector prior to v... (How to Fix)

Q: What is the severity of CVE-2026-23529?

CVE-2026-23529 has a CVSS score of 7.7 (HIGH). The Kafka Connect BigQuery Connector prior to version 2.11.0 has an arbitrary file read vulnerability in credential configuration processing. Attackers can exploit this by providing malicious credential configurations with crafted file paths or URLs, leading to unauthorized file access or server-side request forgery (SSRF). This affects users of Aiven's Google BigQuery Kafka Connect Sink connector who configure external credentials.

📋 TL;DR

The Kafka Connect BigQuery Connector prior to version 2.11.0 has an arbitrary file read vulnerability in credential configuration processing. Attackers can exploit this by providing malicious credential configurations with crafted file paths or URLs, leading to unauthorized file access or server-side request forgery (SSRF). This affects users of Aiven's Google BigQuery Kafka Connect Sink connector who configure external credentials.

💻 Affected Systems

Products:

Aiven Google BigQuery Kafka Connect Sink Connector

Versions: All versions prior to 2.11.0

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when users supply external credential configurations; default configurations without external credential sources are not affected.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive system files (e.g., /etc/passwd, SSH keys, configuration files) or perform SSRF attacks against internal services, potentially leading to credential theft, data exfiltration, or lateral movement.

🟠

Likely Case

Unauthorized reading of files accessible to the connector process, potentially exposing configuration files, credentials, or application data stored on the server.

🟢

If Mitigated

If proper input validation and credential source restrictions are implemented, the connector would reject malicious configurations before processing.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to configure the connector with malicious credential settings, which typically requires some level of access to the connector configuration interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.11.0

Vendor Advisory: https://github.com/Aiven-Open/bigquery-connector-for-apache-kafka/security/advisories/GHSA-3mg8-2g53-5gj4

Restart Required: Yes

Instructions:

1. Update to version 2.11.0 or later. 2. Stop the Kafka Connect service. 3. Replace the connector JAR file with the patched version. 4. Restart the Kafka Connect service. 5. Verify connector functionality.

🔧 Temporary Workarounds

Restrict Credential Configuration Access

all

Limit who can configure the connector and what credential sources are allowed.

Use Service Account Keys Instead of External Files

all

Configure authentication using service account keys directly rather than external credential files.

🧯 If You Can't Patch

Implement strict access controls on connector configuration interfaces to prevent unauthorized changes.
Monitor connector configuration changes and audit logs for suspicious credential source modifications.

🔍 How to Verify

Check if Vulnerable:

Check the connector version in use; if it's below 2.11.0 and configured with external credential sources, it's vulnerable.

Check Version:

Check the connector JAR file version or consult the Kafka Connect connector status/configuration.

Verify Fix Applied:

Confirm the connector version is 2.11.0 or higher and test that malicious credential configurations are rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns from the connector process
Failed authentication attempts with suspicious credential sources
Connector configuration changes involving external credential files/URLs

Network Indicators:

Outbound connections from the connector to unexpected internal/external endpoints

SIEM Query:

Process: 'kafka-connect' AND (FileAccess: '/etc/*' OR FileAccess: '/home/*/.ssh/*' OR NetworkConnection: 'internal-service:*')

📊 Metadata

CVE ID: CVE-2026-23529

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-73

EPSS Score: 0.07% exploit probability (21.2th percentile)

Published: January 16, 2026

Last Updated: January 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23529, you might also want to check these: