CVE-2026-27133

Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 to before 0.50.1, when a chain consisting of multiple CA (Certificate Authority) certificates is used in the trusted certificates configuration of a Kafka Connect operand or of the target cluster in the Kafka MirrorMaker 2 operand, all of the certificates that are part of the CA chain will be trusted individually when connecting to the Apache Kafka cluster. Due to this error, the affected operand (Kafka Connect or Kafka MirrorMaker 2) might accept connections to Kafka brokers using server certificates signed by one of the other CAs in the CA chain and not just by the last CA in the chain. This issue is fixed in Strimzi 0.50.1.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.7 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/strimzi/strimzi-kafka-operator/releases/tag/0.50.1	Product Release Notes
https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-6x85-j2f7-4xc5	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:linuxfoundation:strimzi:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-20 23:16

Updated : 2026-02-27 21:48

NVD link : CVE-2026-27133

Mitre link : CVE-2026-27133

CVE.ORG link : CVE-2026-27133

JSON object : View

Products Affected

linuxfoundation

strimzi

CWE

CWE-295

Improper Certificate Validation

CWE-296

Improper Following of a Certificate's Chain of Trust

{"id": "CVE-2026-27133", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 0.7}]}, "published": "2026-02-20T23:16:02.933", "references": [{"url": "https://github.com/strimzi/strimzi-kafka-operator/releases/tag/0.50.1", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-6x85-j2f7-4xc5", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-295"}, {"lang": "en", "value": "CWE-296"}]}], "descriptions": [{"lang": "en", "value": "Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 to before 0.50.1, when a chain consisting of multiple CA (Certificate Authority) certificates is used in the trusted certificates configuration of a Kafka Connect operand or of the target cluster in the Kafka MirrorMaker 2 operand, all of the certificates that are part of the CA chain will be trusted individually when connecting to the Apache Kafka cluster. Due to this error, the affected operand (Kafka Connect or Kafka MirrorMaker 2) might accept connections to Kafka brokers using server certificates signed by one of the other CAs in the CA chain and not just by the last CA in the chain. This issue is fixed in Strimzi 0.50.1."}, {"lang": "es", "value": "Strimzi proporciona una forma de ejecutar un cl\u00faster de Apache Kafka en Kubernetes u OpenShift en varias configuraciones de despliegue. Desde la versi\u00f3n 0.47.0 hasta antes de la 0.50.1, cuando se utiliza una cadena que consta de m\u00faltiples certificados de CA (Autoridad de Certificaci\u00f3n) en la configuraci\u00f3n de certificados de confianza de un operando de Kafka Connect o del cl\u00faster de destino en el operando de Kafka MirrorMaker 2, todos los certificados que forman parte de la cadena de CA ser\u00e1n confiados individualmente al conectarse al cl\u00faster de Apache Kafka. Debido a este error, el operando afectado (Kafka Connect o Kafka MirrorMaker 2) podr\u00eda aceptar conexiones a brokers de Kafka utilizando certificados de servidor firmados por una de las otras CA en la cadena de CA y no solo por la \u00faltima CA de la cadena. Este problema est\u00e1 solucionado en Strimzi 0.50.1."}], "lastModified": "2026-02-27T21:48:29.913", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:strimzi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D78C87B5-B3CA-4A0A-97B5-24F6CBDD092F", "versionEndExcluding": "0.50.1", "versionStartIncluding": "0.47.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}