CVE-2026-27134

EPSS 0.02%
Veröffentlicht 20.02.2026 23:05:04
Zuletzt bearbeitet 25.02.2026 18:54:50
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. In versions  0.49.0 through 0.50.0, when using a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs, Strimzi incorrectly configures the trusted certificates for mTLS authentication on the internal as well as user-configured listeners. All CAs from the CA chain will be trusted. And users with certificates signed by any of the CAs in the chain will be able to authenticate. This issue affects only users using a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs. It does not affect users using the Strimzi-managed Cluster and Clients CAs. It also does not affect users using custom Cluster or Clients CA with only a single CA (i.e., no CA chain with multiple CAs). This issue has been fixed in version 0.50.1. To workaround this issue, instead of providing the full CA chain as the custom CA, users can provide only the single CA that should be used.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linuxfoundation ≫ Strimzi Kafka Operator Version >= 0.49.0 < 0.50.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.042

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

CWE-296 Improper Following of a Certificate's Chain of Trust

The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.

https://github.com/strimzi/strimzi-kafka-operator/releases/tag/0.50.1

Product

Release Notes

https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-2qwx-rq6j-8r6j

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-27134

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27134

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27134

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-27134