CVE-2026-41115
Apache Kafka: Improper Authorization in CONSUMER_GROUP_DESCRIBE API
An improper authorization vulnerability has been identified in Apache Kafka. The implementation of the CONSUMER_GROUP_DESCRIBE (69) API validates the DESCRIBE operation on the GROUP resource instead of the READ operation that documented in the official kafka documentation and the KIP-848. This discrepancy can result in misconfigured Access Control Lists (ACLs) and unintended security postures, like granting READ permission to users who should not be able to join/sync groups, or allowing users without READ permission (but with DESCRIBE permission) to access sensitive group metadata. The correct permission for CONSUMER_GROUP_DESCRIBE API is DESCRIBE GROUP so the current implementation is correct. However, the kafka documentation as well as the KIP-848 will be updated to reflect the correct permission. We advise the Kafka users to review existing group ACLs to ensure the principle of least privilege.
| CWE | CWE-285 |
| Vendor | apache software foundation |
| Product | apache kafka |
| Published | Jun 2, 2026 |
| Last Updated | Jun 2, 2026 |
Get instant alerts for apache software foundation apache kafka
Be the first to know when new medium vulnerabilities affecting apache software foundation apache kafka are published โ delivered to Slack, Telegram or Discord.