A new incorrect access control vulnerability has been discovered in Apache Kafka that could allow threat actors to compromise the CIA (Confidentiality, Integrity, and Availability) on the affected resource.
This vulnerability has been assigned to CVE-2024-27309, and its severity has yet to be categorized.
Apache Kafka is an open-source event streaming platform that offers high-performance streaming analytics, data integration, and several other purposes.
Apache Kafka also offers permanent storage, scalability, and high throughput as core capabilities.
According to the Apache Kafka website, almost 80% of the Fortune 100 companies have been using Apache Kafka for various purposes.
As per the advisory, this particular vulnerability became existent during migration from ZooKeeper mode to Kraft Mode.
Some of the ACLs (Access Control Lists) are not correctly enforced during this migration.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .
Moreover, there are two preconditions to trigger this bug. One of the preconditions is that the administrator must decide to remove an ACL, and the second condition is that the resource associated with the removed ACL must have two or more ACLs related to it after being removed.
If both of these preconditions are available, Apache Kafka will treat the resource as having only one ACL associated with it after removal.
This means that the other two or more ACLs will be treated differently.
However, the incorrect condition will be cleared when all the brokers are removed in ZK mode or when a new ACL is added to the affected resource.
When the migration gets completed, all the ACLs will stay in place. Nevertheless, the complete impact of this vulnerability depends on the ACLs in use.
If the ACLs have only ALLOW conditions configured during the migration, the impact of this vulnerability is limited to availability impact.
In case if the ACLs are configured as DENY, the impact could escalate to affected confidentiality and integrity as the DENY ACLs might become ignored because of this vulnerability during the migration period.
The Affected products of this vulnerability include Apache Kafka versions 3.5.0, 3.5.1, 3.5.2, 3.6.0, and 3.6.1.
Users of this Apache Kafka are recommended to upgrade to the latest versions to prevent threat actors from exploiting this vulnerability.
Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.
An upgraded release of tool EDR-Redir V2, designed to evade Endpoint Detection and Response (EDR)…
OpenAI has unveiled Aardvark, an autonomous AI agent powered by its cutting-edge GPT-5 model, designed…
Security researchers have uncovered a sophisticated attack technique that exploits the trust relationships built into…
The notorious Akira ransomware group announced on October 29, 2025, that it successfully breached the…
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert about a…
Cybercriminals and state-sponsored actors are ramping up attacks on unpatched Cisco IOS XE devices across…