Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.9
Strimzi: Malicious certificates can be accepted by Kafka cluster
CVE-2026-27133
Summary
Strimzi's Kafka clusters may accept fake server certificates if a chain of trusted certificates is used. This means an attacker could pretend to be a trusted server and connect to the cluster. Update to version 0.50.1 to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| linuxfoundation | strimzi | > 0.47.0 , <= 0.50.1 | – |
Original title
Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 to before 0.50.1, when a chain consisting of multiple CA (Certific...
Original description
Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 to before 0.50.1, when a chain consisting of multiple CA (Certificate Authority) certificates is used in the trusted certificates configuration of a Kafka Connect operand or of the target cluster in the Kafka MirrorMaker 2 operand, all of the certificates that are part of the CA chain will be trusted individually when connecting to the Apache Kafka cluster. Due to this error, the affected operand (Kafka Connect or Kafka MirrorMaker 2) might accept connections to Kafka brokers using server certificates signed by one of the other CAs in the CA chain and not just by the last CA in the chain. This issue is fixed in Strimzi 0.50.1.
nvd CVSS3.1
5.9
Vulnerability type
CWE-295
Improper Certificate Validation
CWE-296
- https://github.com/strimzi/strimzi-kafka-operator/releases/tag/0.50.1 Product Release Notes
- https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-6x85-... Vendor Advisory
Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026