Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-33558

Summary
Assigner-apache
Assigner Org ID-f0158376-9dc2-43b6-827c-5f631a4d8d09
Published At-20 Apr, 2026 | 13:20
Updated At-20 Apr, 2026 | 14:20
Rejected At-
Credits

Apache Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log Output

Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are: * AlterConfigsRequest * AlterUserScramCredentialsRequest * ExpireDelegationTokenRequest * IncrementalAlterConfigsRequest * RenewDelegationTokenRequest * SaslAuthenticateRequest * createDelegationTokenResponse * describeDelegationTokenResponse * SaslAuthenticateResponse This issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. We advise the Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:apache
Assigner Org ID:f0158376-9dc2-43b6-827c-5f631a4d8d09
Published At:20 Apr, 2026 | 13:20
Updated At:20 Apr, 2026 | 14:20
Rejected At:
▼CVE Numbering Authority (CNA)
Apache Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log Output

Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are: * AlterConfigsRequest * AlterUserScramCredentialsRequest * ExpireDelegationTokenRequest * IncrementalAlterConfigsRequest * RenewDelegationTokenRequest * SaslAuthenticateRequest * createDelegationTokenResponse * describeDelegationTokenResponse * SaslAuthenticateResponse This issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. We advise the Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.

Affected Products
Vendor
The Apache Software FoundationApache Software Foundation
Product
Apache Kafka
Default Status
unaffected
Versions
Affected
  • From 0.11.0 through 3.9.1 (semver)
  • 4.0.0 (semver)
Vendor
The Apache Software FoundationApache Software Foundation
Product
Apache Kafka Clients
Collection URL
https://repo.maven.apache.org/maven2
Package Name
org.apache.kafka:kafka-clients
Default Status
unaffected
Versions
Affected
  • From 0.11.0 through 3.9.1 (semver)
  • 4.0.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-533CWE-533 DEPRECATED: Information Exposure Through Server Log Files
Type: CWE
CWE ID: CWE-533
Description: CWE-533 DEPRECATED: Information Exposure Through Server Log Files
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Textual description of severity
text:
moderate
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Alyssa Huang <ahuang@confluent.io>
finder
Luke Chen <showuon@gmail.com>
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://kafka.apache.org/cve-list
vendor-advisory
https://lists.apache.org/thread/pz5g4ky3h0k91tfd14p0dzqjp80960kl
mailing-list
Hyperlink: https://kafka.apache.org/cve-list
Resource:
vendor-advisory
Hyperlink: https://lists.apache.org/thread/pz5g4ky3h0k91tfd14p0dzqjp80960kl
Resource:
mailing-list
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.openwall.com/lists/oss-security/2026/04/17/3
N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/04/17/3
Resource: N/A
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@apache.org
Published At:20 Apr, 2026 | 14:16
Updated At:22 Apr, 2026 | 14:16

Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are: * AlterConfigsRequest * AlterUserScramCredentialsRequest * ExpireDelegationTokenRequest * IncrementalAlterConfigsRequest * RenewDelegationTokenRequest * SaslAuthenticateRequest * createDelegationTokenResponse * describeDelegationTokenResponse * SaslAuthenticateResponse This issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. We advise the Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CPE Matches
The Apache Software Foundation
apache
>>kafka>>Versions from 0.11.0.0(inclusive) to 3.9.2(exclusive)
cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:*
The Apache Software Foundation
apache
>>kafka>>4.0.0
cpe:2.3:a:apache:kafka:4.0.0:-:*:*:*:*:*:*
The Apache Software Foundation
apache
>>kafka>>4.0.0
cpe:2.3:a:apache:kafka:4.0.0:rc0:*:*:*:*:*:*
The Apache Software Foundation
apache
>>kafka>>4.0.0
cpe:2.3:a:apache:kafka:4.0.0:rc1:*:*:*:*:*:*
The Apache Software Foundation
apache
>>kafka>>4.0.0
cpe:2.3:a:apache:kafka:4.0.0:rc3:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-533Secondarysecurity@apache.org
CWE ID: CWE-533
Type: Secondary
Source: security@apache.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://kafka.apache.org/cve-listsecurity@apache.org
Vendor Advisory
https://lists.apache.org/thread/pz5g4ky3h0k91tfd14p0dzqjp80960klsecurity@apache.org
Mitigation
Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/04/17/3af854a3a-2127-422b-91ae-364da2661108
Mailing List
Hyperlink: https://kafka.apache.org/cve-list
Source: security@apache.org
Resource:
Vendor Advisory
Hyperlink: https://lists.apache.org/thread/pz5g4ky3h0k91tfd14p0dzqjp80960kl
Source: security@apache.org
Resource:
Mitigation
Vendor Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2026/04/17/3
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Mailing List

Change History

0
Information is not available yet

Similar CVEs

54Records found
CVE-2024-23946
Matching Score-8
Assigner-Apache Software Foundation
ShareView Details
Matching Score-8
Assigner-Apache Software Foundation
CVSS Score-5.3||MEDIUM
EPSS-2.71% / 86.00%
||
7 Day CHG~0.00%
Published-28 Feb, 2024 | 15:44
Updated-13 Feb, 2025 | 17:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache OFBiz: Path traversal or file inclusion

Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-ofbizApache OFBizofbiz
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-21733
Matching Score-8
Assigner-Apache Software Foundation
ShareView Details
Matching Score-8
Assigner-Apache Software Foundation
CVSS Score-5.3||MEDIUM
EPSS-73.43% / 98.82%
||
7 Day CHG~0.00%
Published-19 Jan, 2024 | 10:29
Updated-03 Nov, 2025 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Tomcat: Leaking of unrelated request bodies in default error page

Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL versions may also be affected. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-tomcatApache Tomcat
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2022-38398
Matching Score-8
Assigner-Apache Software Foundation
ShareView Details
Matching Score-8
Assigner-Apache Software Foundation
CVSS Score-5.3||MEDIUM
EPSS-0.22% / 45.02%
||
7 Day CHG~0.00%
Published-22 Sep, 2022 | 00:00
Updated-03 Nov, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Request Forgery Information Disclosure Vulnerability

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.

Action-Not Available
Vendor-Debian GNU/LinuxThe Apache Software Foundation
Product-debian_linuxbatikApache XML Graphics
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-28330
Matching Score-8
Assigner-Apache Software Foundation
ShareView Details
Matching Score-8
Assigner-Apache Software Foundation
CVSS Score-5.3||MEDIUM
EPSS-0.49% / 65.56%
||
7 Day CHG-0.01%
Published-08 Jun, 2022 | 10:00
Updated-03 Aug, 2024 | 05:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
read beyond bounds in mod_isapi

Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module.

Action-Not Available
Vendor-The Apache Software FoundationMicrosoft Corporation
Product-http_serverwindowsApache HTTP Server
CWE ID-CWE-125
Out-of-bounds Read
  • Previous
  • 1
  • 2
  • Next
Details not found