CVE-2026-27134
📋 TL;DR
This vulnerability allows unauthorized authentication in Strimzi Kafka clusters when using custom CA certificates with multi-stage chains. Attackers with certificates signed by any CA in the chain can authenticate to internal and user-configured listeners. Only affects users with custom Cluster or Clients CA using multi-stage CA chains.
💻 Affected Systems
- Strimzi Kafka Operator
📦 What is this software?
Strimzi Kafka Operator by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users gain full access to Kafka cluster, potentially reading sensitive data, injecting malicious messages, or disrupting operations.
Likely Case
Privilege escalation where users with certificates from unintended CAs gain access to Kafka resources they shouldn't have.
If Mitigated
Limited impact if proper network segmentation and additional authentication layers are in place.
🎯 Exploit Status
Exploitation requires a valid certificate from any CA in the chain, making it straightforward for attackers who obtain such certificates.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.50.1
Vendor Advisory: https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-2qwx-rq6j-8r6j
Restart Required: Yes
Instructions:
1. Upgrade Strimzi operator to version 0.50.1 or later. 2. Update all Kafka custom resources to use the new operator version. 3. Restart affected Kafka pods to apply the fix.
🔧 Temporary Workarounds
Use Single CA Instead of Full Chain
allInstead of providing the full CA chain as the custom CA, provide only the single CA that should be used for authentication.
# Update your custom CA configuration to include only the intended root CA certificate
# Remove intermediate CAs from your CA chain configuration
🧯 If You Can't Patch
- Implement network-level controls to restrict access to Kafka listeners
- Add additional authentication layers (e.g., application-level auth) for Kafka access
🔍 How to Verify
Check if Vulnerable:
Check if using Strimzi versions 0.49.0-0.50.0 with custom CA certificates containing multiple CAs in the chain.Check Version:
kubectl get deployment strimzi-cluster-operator -o jsonpath='{.spec.template.spec.containers[0].image}'Verify Fix Applied:
Verify Strimzi operator version is 0.50.1 or later and custom CA configurations use only intended root CA.📡 Detection & Monitoring
Log Indicators:
- Unexpected authentication successes from unknown certificate issuers
- Authentication attempts using certificates from unintended CAs
Network Indicators:
- mTLS connections from unexpected sources or using unexpected certificate chains
SIEM Query:
source="kafka" AND (event="authentication_success" AND NOT cert_issuer="expected_issuer")