CVE-2026-25999 – CVE-2026-25999 is an improper access control vu... (How to Fix)

Q: What is the severity of CVE-2026-25999?

CVE-2026-25999 has a CVSS score of 7.1 (HIGH). CVE-2026-25999 is an improper access control vulnerability in Klaw (Apache Kafka management portal) that allows unauthorized users to reset or delete metadata for any tenant by sending crafted requests to the /resetMemoryCache endpoint. This affects all Klaw deployments prior to version 2.10.2, potentially disrupting Kafka topic management operations.

📋 TL;DR

CVE-2026-25999 is an improper access control vulnerability in Klaw (Apache Kafka management portal) that allows unauthorized users to reset or delete metadata for any tenant by sending crafted requests to the /resetMemoryCache endpoint. This affects all Klaw deployments prior to version 2.10.2, potentially disrupting Kafka topic management operations.

💻 Affected Systems

Products:

Klaw (Apache Kafka Topic Management Portal)

Versions: All versions prior to 2.10.2

Operating Systems: Any OS running Klaw

Default Config Vulnerable: ⚠️ Yes

Notes: All Klaw deployments with the vulnerable endpoint accessible are affected regardless of configuration.

📦 What is this software?

Klaw by Aiven

View all CVEs affecting Klaw →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disruption of Kafka topic management operations across all tenants, requiring manual restoration of configurations and potentially causing service outages.

🟠

Likely Case

Temporary disruption of Klaw functionality requiring administrators to manually reload configurations, causing operational delays.

🟢

If Mitigated

Minimal impact with proper network segmentation and authentication controls preventing unauthorized access to the vulnerable endpoint.

🌐 Internet-Facing: HIGH if Klaw is exposed to the internet without proper authentication, as the exploit requires no authentication.

🏢 Internal Only: MEDIUM as internal attackers could still exploit this if they have network access to the Klaw instance.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only a simple HTTP request to the vulnerable endpoint with no authentication or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.10.2

Vendor Advisory: https://github.com/Aiven-Open/klaw/security/advisories/GHSA-rp26-qv9w-xr5q

Restart Required: Yes

Instructions:

1. Backup current Klaw configuration and data. 2. Stop the Klaw service. 3. Update to version 2.10.2 using your package manager or manual installation. 4. Restart the Klaw service. 5. Verify the fix by checking the version and testing the /resetMemoryCache endpoint.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to the Klaw instance to only authorized users and systems.

iptables -A INPUT -p tcp --dport [KLAW_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [KLAW_PORT] -j DROP

Endpoint Blocking via Reverse Proxy

all

Block access to the /resetMemoryCache endpoint at the reverse proxy or load balancer level.

location /resetMemoryCache { deny all; return 403; }

🧯 If You Can't Patch

Implement strict network segmentation to isolate Klaw from untrusted networks
Add authentication middleware or WAF rules to block unauthorized requests to /resetMemoryCache

🔍 How to Verify

Check if Vulnerable:

Check if Klaw version is below 2.10.2 and if unauthenticated requests to /resetMemoryCache endpoint are accepted.

Check Version:

curl -s http://[KLAW_HOST]:[PORT]/api/version | grep version

Verify Fix Applied:

Verify Klaw version is 2.10.2 or higher and test that unauthenticated requests to /resetMemoryCache return proper authentication errors.

📡 Detection & Monitoring

Log Indicators:

HTTP 200 responses to POST /resetMemoryCache from unauthorized IPs
Unusual spike in configuration reload events

Network Indicators:

HTTP POST requests to /resetMemoryCache endpoint without authentication headers
Traffic to Klaw from unexpected source IPs

SIEM Query:

source="klaw.log" AND (uri_path="/resetMemoryCache" AND http_method="POST" AND NOT user_authenticated="true")

📊 Metadata

CVE ID: CVE-2026-25999

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CWE: CWE-285

EPSS Score: 0.04% exploit probability (11.1th percentile)

Published: February 11, 2026

Last Updated: February 26, 2026

🔗 References

https://github.com/Aiven-Open/klaw/commit/617ed96b1db111ed498d89132321bf39f486e3a1 Patch
https://github.com/Aiven-Open/klaw/releases/tag/v2.10.2 Product,Release Notes
https://github.com/Aiven-Open/klaw/security/advisories/GHSA-rp26-qv9w-xr5q Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25999, you might also want to check these: