Apache Kafka NetworkClient Debug Logging Exposes Sensitive Credentials in CVE-2026-33558

A critical information exposure vulnerability has been identified in Apache Kafka's NetworkClient component, tracked as CVE-2026-33558. When DEBUG-level logging is enabled, the component outputs entire request and response payloads to logs, potentially exposing sensitive authentication credentials and token data. The vulnerability affects all Kafka versions through v3.9.1 and v4.0.0. While the default log level is set to INFO—meaning sensitive data is not logged by default—any deployment with DEBUG logging activated is at risk.

The exposed data includes credentials from authentication requests such as SaslAuthenticateRequest and SaslAuthenticateResponse, along with delegation token operations including AlterUserScramCredentialsRequest, ExpireDelegationTokenRequest, RenewDelegationTokenRequest, and related responses. Configuration and token management operations like AlterConfigsRequest, IncrementalAlterConfigsRequest, createDelegationTokenResponse, and describeDelegationTokenResponse are also logged at DEBUG level. This means any Kafka cluster where developers or operators have enabled DEBUG logging for troubleshooting purposes inadvertently creates a pathway for credential exposure in log storage.

Organizations running vulnerable Kafka versions face risks of credential theft and unauthorized access if DEBUG logs containing this sensitive information are stored insecurely, shared, or accessed by unauthorized parties. The vulnerability carries a CWE-533 classification for information exposure through log files. Apache Kafka is widely deployed across financial services, cloud infrastructure providers, and enterprise messaging systems, making the potential blast radius significant. Administrators should upgrade to v3.9.2, v4.0.1, or later immediately. Any environments where DEBUG logging is required should treat log storage and access controls as critical security boundaries, with particular attention to who can access log aggregation systems, log shippers, and centralized logging platforms.