{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27133", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-17T18:42:27.044Z", "datePublished": "2026-02-20T22:38:27.721Z", "dateUpdated": "2026-02-25T21:32:33.009Z"}, "containers": {"cna": {"title": "Strimzi All CAs from CA chain will be trusted in Kafka Connect and Kafka MirrorMaker 2 target clusters", "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-296", "lang": "en", "description": "CWE-296: Improper Following of a Certificate's Chain of Trust", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-6x85-j2f7-4xc5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-6x85-j2f7-4xc5"}, {"name": "https://github.com/strimzi/strimzi-kafka-operator/releases/tag/0.50.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/strimzi/strimzi-kafka-operator/releases/tag/0.50.1"}], "affected": [{"vendor": "strimzi", "product": "strimzi-kafka-operator", "versions": [{"version": ">= 0.47.0, < 0.51.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-20T22:38:27.721Z"}, "descriptions": [{"lang": "en", "value": "Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 to before 0.50.1, when a chain consisting of multiple CA (Certificate Authority) certificates is used in the trusted certificates configuration of a Kafka Connect operand or of the target cluster in the Kafka MirrorMaker 2 operand, all of the certificates that are part of the CA chain will be trusted individually when connecting to the Apache Kafka cluster. Due to this error, the affected operand (Kafka Connect or Kafka MirrorMaker 2) might accept connections to Kafka brokers using server certificates signed by one of the other CAs in the CA chain and not just by the last CA in the chain. This issue is fixed in Strimzi 0.50.1."}], "source": {"advisory": "GHSA-6x85-j2f7-4xc5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T21:32:25.189755Z", "id": "CVE-2026-27133", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:32:33.009Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27133", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-25T21:32:25.189755Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:32:29.628Z"}}], "cna": {"title": "Strimzi All CAs from CA chain will be trusted in Kafka Connect and Kafka MirrorMaker 2 target clusters", "source": {"advisory": "GHSA-6x85-j2f7-4xc5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "strimzi", "product": "strimzi-kafka-operator", "versions": [{"status": "affected", "version": ">= 0.47.0, < 0.51.1"}]}], "references": [{"url": "https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-6x85-j2f7-4xc5", "name": "https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-6x85-j2f7-4xc5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/strimzi/strimzi-kafka-operator/releases/tag/0.50.1", "name": "https://github.com/strimzi/strimzi-kafka-operator/releases/tag/0.50.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 to before 0.50.1, when a chain consisting of multiple CA (Certificate Authority) certificates is used in the trusted certificates configuration of a Kafka Connect operand or of the target cluster in the Kafka MirrorMaker 2 operand, all of the certificates that are part of the CA chain will be trusted individually when connecting to the Apache Kafka cluster. Due to this error, the affected operand (Kafka Connect or Kafka MirrorMaker 2) might accept connections to Kafka brokers using server certificates signed by one of the other CAs in the CA chain and not just by the last CA in the chain. This issue is fixed in Strimzi 0.50.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-296", "description": "CWE-296: Improper Following of a Certificate's Chain of Trust"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-20T22:38:27.721Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27133", "state": "PUBLISHED", "dateUpdated": "2026-02-25T21:32:33.009Z", "dateReserved": "2026-02-17T18:42:27.044Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-20T22:38:27.721Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:strimzi_kafka_operator:*:*:*:*:*:*:*:*", "matchCriteriaId": "1474C0DA-92A0-4E06-BBA5-FC048A0028E2", "versionEndExcluding": "0.50.1", "versionStartIncluding": "0.47.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 to before 0.50.1, when a chain consisting of multiple CA (Certificate Authority) certificates is used in the trusted certificates configuration of a Kafka Connect operand or of the target cluster in the Kafka MirrorMaker 2 operand, all of the certificates that are part of the CA chain will be trusted individually when connecting to the Apache Kafka cluster. Due to this error, the affected operand (Kafka Connect or Kafka MirrorMaker 2) might accept connections to Kafka brokers using server certificates signed by one of the other CAs in the CA chain and not just by the last CA in the chain. This issue is fixed in Strimzi 0.50.1."}, {"lang": "es", "value": "Strimzi proporciona una forma de ejecutar un cl\u00faster de Apache Kafka en Kubernetes u OpenShift en varias configuraciones de despliegue. Desde la versi\u00f3n 0.47.0 hasta antes de la 0.50.1, cuando se utiliza una cadena que consta de m\u00faltiples certificados de CA (Autoridad de Certificaci\u00f3n) en la configuraci\u00f3n de certificados de confianza de un operando de Kafka Connect o del cl\u00faster de destino en el operando de Kafka MirrorMaker 2, todos los certificados que forman parte de la cadena de CA ser\u00e1n confiados individualmente al conectarse al cl\u00faster de Apache Kafka. Debido a este error, el operando afectado (Kafka Connect o Kafka MirrorMaker 2) podr\u00eda aceptar conexiones a brokers de Kafka utilizando certificados de servidor firmados por una de las otras CA en la cadena de CA y no solo por la \u00faltima CA de la cadena. Este problema est\u00e1 solucionado en Strimzi 0.50.1."}], "id": "CVE-2026-27133", "lastModified": "2026-02-25T18:54:14.473", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-20T23:16:02.933", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/strimzi/strimzi-kafka-operator/releases/tag/0.50.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-6x85-j2f7-4xc5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}, {"lang": "en", "value": "CWE-296"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "strimzi-kafka-operator: Strimzi: Improper certificate validation allows unauthorized access via CA chain misconfiguration", "id": "2441519", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441519"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-295", "details": ["Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 to before 0.50.1, when a chain consisting of multiple CA (Certificate Authority) certificates is used in the trusted certificates configuration of a Kafka Connect operand or of the target cluster in the Kafka MirrorMaker 2 operand, all of the certificates that are part of the CA chain will be trusted individually when connecting to the Apache Kafka cluster. Due to this error, the affected operand (Kafka Connect or Kafka MirrorMaker 2) might accept connections to Kafka brokers using server certificates signed by one of the other CAs in the CA chain and not just by the last CA in the chain. This issue is fixed in Strimzi 0.50.1."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27133", "package_state": [{"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Fix deferred", "package_name": "io.strimzi-strimzi", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Fix deferred", "package_name": "io.strimzi-strimzi-drain-cleaner", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Fix deferred", "package_name": "io.strimzi-strimzi", "product_name": "streams for Apache Kafka 3"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Fix deferred", "package_name": "io.strimzi-strimzi-drain-cleaner", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-02-20T22:38:27Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27133\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27133\nhttps://github.com/strimzi/strimzi-kafka-operator/releases/tag/0.50.1\nhttps://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-6x85-j2f7-4xc5"], "threat_severity": "Moderate"}