(kafka-site) branch markdown updated: MINOR: Fix and add CVE-2026-41115 info (#875)

Tue, 02 Jun 2026 02:07:50 -0700 

This is an automated email from the ASF dual-hosted git repository.

showuon pushed a commit to branch markdown
in repository https://gitbox.apache.org/repos/asf/kafka-site.git


The following commit(s) were added to refs/heads/markdown by this push:
     new da65ac238e MINOR: Fix and add CVE-2026-41115 info (#875)
da65ac238e is described below

commit da65ac238ecc2e5f142731f2099865191a4b01c3
Author: Luke Chen <[email protected]>
AuthorDate: Tue Jun 2 18:07:17 2026 +0900

    MINOR: Fix and add CVE-2026-41115 info (#875)
    
    * Fix and add CVE-2026-41115 info
    
    * address reviewer's comment
---
 content/en/38/security/authorization-and-acls.md |  2 +-
 content/en/39/security/authorization-and-acls.md |  2 +-
 content/en/40/security/authorization-and-acls.md |  2 +-
 content/en/41/security/authorization-and-acls.md |  2 +-
 content/en/42/security/authorization-and-acls.md |  2 +-
 content/en/43/security/authorization-and-acls.md |  2 +-
 content/en/community/cve-list.md                 | 61 +++++++++++++++++++++++-
 7 files changed, 66 insertions(+), 7 deletions(-)

diff --git a/content/en/38/security/authorization-and-acls.md 
b/content/en/38/security/authorization-and-acls.md
index ddd3e7eeb9..2fdd644750 100644
--- a/content/en/38/security/authorization-and-acls.md
+++ b/content/en/38/security/authorization-and-acls.md
@@ -2257,7 +2257,7 @@ CONSUMER_GROUP_DESCRIBE (69)
 </td>  
 <td>
 
-Read
+Describe
 </td>  
 <td>
 
diff --git a/content/en/39/security/authorization-and-acls.md 
b/content/en/39/security/authorization-and-acls.md
index 2a02a8183d..3f2602a8ed 100644
--- a/content/en/39/security/authorization-and-acls.md
+++ b/content/en/39/security/authorization-and-acls.md
@@ -2257,7 +2257,7 @@ CONSUMER_GROUP_DESCRIBE (69)
 </td>  
 <td>
 
-Read
+Describe
 </td>  
 <td>
 
diff --git a/content/en/40/security/authorization-and-acls.md 
b/content/en/40/security/authorization-and-acls.md
index 924ba2c9d6..2c85d60b63 100644
--- a/content/en/40/security/authorization-and-acls.md
+++ b/content/en/40/security/authorization-and-acls.md
@@ -2210,7 +2210,7 @@ CONSUMER_GROUP_DESCRIBE (69)
 </td>  
 <td>
 
-Read
+Describe
 </td>  
 <td>
 
diff --git a/content/en/41/security/authorization-and-acls.md 
b/content/en/41/security/authorization-and-acls.md
index 6349dbd636..6b46f1f029 100644
--- a/content/en/41/security/authorization-and-acls.md
+++ b/content/en/41/security/authorization-and-acls.md
@@ -2218,7 +2218,7 @@ CONSUMER_GROUP_DESCRIBE (69)
 </td>  
 <td>
 
-Read
+Describe
 </td>  
 <td>
 
diff --git a/content/en/42/security/authorization-and-acls.md 
b/content/en/42/security/authorization-and-acls.md
index 6349dbd636..6b46f1f029 100644
--- a/content/en/42/security/authorization-and-acls.md
+++ b/content/en/42/security/authorization-and-acls.md
@@ -2218,7 +2218,7 @@ CONSUMER_GROUP_DESCRIBE (69)
 </td>  
 <td>
 
-Read
+Describe
 </td>  
 <td>
 
diff --git a/content/en/43/security/authorization-and-acls.md 
b/content/en/43/security/authorization-and-acls.md
index 6349dbd636..6b46f1f029 100644
--- a/content/en/43/security/authorization-and-acls.md
+++ b/content/en/43/security/authorization-and-acls.md
@@ -2218,7 +2218,7 @@ CONSUMER_GROUP_DESCRIBE (69)
 </td>  
 <td>
 
-Read
+Describe
 </td>  
 <td>
 
diff --git a/content/en/community/cve-list.md b/content/en/community/cve-list.md
index b5ba3fd017..8571a3de26 100644
--- a/content/en/community/cve-list.md
+++ b/content/en/community/cve-list.md
@@ -28,7 +28,66 @@ type: docs
 
 This page lists all security vulnerabilities fixed in released versions of 
Apache Kafka. 
 
-This page does **not** list security advisories for dependencies of Kafka. If 
your security scanner warns that there is an advisory for a dependency of 
Kafka, please see [this 
documentation](https://security.apache.org/report-dependency/). You can find 
the current development versions of various dependencies 
[here](https://github.com/apache/kafka/blob/trunk/gradle/dependencies.gradle). 
You can find a list of advisories that have been confirmed not to apply to 
Kafka [here](https://github. [...]
+This page does **not** list security advisories for dependencies of Kafka. If 
your security scanner warns that there is an advisory for a dependency of 
Kafka, please see [this 
documentation](https://security.apache.org/report-dependency/). You can find 
the current development versions of various dependencies 
[here](https://github.com/apache/kafka/blob/trunk/gradle/dependencies.gradle). 
You can find a list of advisories that have been confirmed not to apply to 
Kafka [here](https://github. [...]
+
+## [CVE-2026-41115](https://nvd.nist.gov/vuln/detail/CVE-2026-41115) Apache 
Kafka: Improper Authorization in CONSUMER_GROUP_DESCRIBE API {#CVE-2026-41115}
+
+The implementation of the CONSUMER_GROUP_DESCRIBE (69) API validates the 
DESCRIBE operation on the GROUP resource instead of the READ operation as 
documented in the official Kafka documentation and KIP-848.
+This discrepancy can result in misconfigured Access Control Lists (ACLs) and 
unintended security postures,
+like granting READ permission to users who should not be able to join/sync 
groups, or allowing users without READ permission (but with DESCRIBE 
permission) to access sensitive group metadata.
+
+The correct permission for CONSUMER_GROUP_DESCRIBE API is DESCRIBE GROUP so 
the current implementation is correct.
+However, the Kafka documentation as well as KIP-848 have been updated to 
reflect the correct permission.
+We advise the Kafka users to review existing group ACLs to ensure the 
principle of least privilege.
+
+<table>
+<tr>
+<td>
+
+Versions affected
+</td>
+<td>
+
+4.0.0 - 4.3.0
+</td> </tr>
+<tr>
+<td>
+
+Fixed versions
+</td>
+<td>
+
+4.0.0 - 4.3.0
+</td> </tr>
+<tr>
+<td>
+
+Impact
+</td>
+<td>
+
+This improper authorization can result in misconfigured ACLs and unintended 
security postures,
+like granting READ permission to users who should not be able to join/sync 
groups,
+or allowing users without READ permission (but with DESCRIBE permission) to 
access sensitive group metadata.
+</td> </tr>
+<tr>
+<td>
+
+Advice
+</td>
+<td>
+
+Kafka users using 4.0.0 - 4.3.0 are advised to review existing group ACLs to 
ensure the principle of least privilege.
+</td> </tr>
+<tr>
+<td>
+
+Issue announced
+</td>
+<td>
+
+2 Jun 2026
+</td> </tr> </table>
 
 ## [CVE-2026-33558](https://nvd.nist.gov/vuln/detail/CVE-2026-33558) Apache 
Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log 
Output {#CVE-2026-33558}

Reply via email to