MEDIUM 4.3

CVE-2026-41115: Apache Kafka CONSUMER_GROUP_DESCRIBE Authorization Documentation Mismatch

Apache Kafka contains an authorization mismatch in its consumer group metadata API. The CONSUMER_GROUP_DESCRIBE operation checks for DESCRIBE permission on groups, but Kafka's documentation and the relevant design specification (KIP-848) incorrectly state it should check for READ permission. This inconsistency between code behavior and documentation can lead to misconfigured access controls—either granting unintended READ access to users who only have DESCRIBE permissions, or blocking legitimate access for users who rely on documentation-based ACL configurations. The vulnerability is not a code flaw but a documentation gap that can cause real-world security postures to diverge from intent.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-285
Affected products
1 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

An improper authorization vulnerability has been identified in Apache Kafka. The implementation of the CONSUMER_GROUP_DESCRIBE (69) API validates the DESCRIBE operation on the GROUP resource instead of the READ operation that documented in the official kafka documentation and the KIP-848. This discrepancy can result in misconfigured Access Control Lists (ACLs) and unintended security postures, like granting READ permission to users who should not be able to join/sync groups, or allowing users without READ permission (but with DESCRIBE permission) to access sensitive group metadata. The correct permission for CONSUMER_GROUP_DESCRIBE API is DESCRIBE GROUP so the current implementation is correct. However, the kafka documentation as well as the KIP-848 will be updated to reflect the correct permission. We advise the Kafka users to review existing group ACLs to ensure the principle of least privilege.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The CONSUMER_GROUP_DESCRIBE API (operation code 69) in Apache Kafka performs authorization validation by checking the DESCRIBE operation on the GROUP resource. However, Kafka's official documentation and KIP-848 specify that READ permission should be required instead. This mismatch arises because the code implementation is actually correct—DESCRIBE GROUP is the proper permission for this operation—but the documentation was written to reflect an incorrect requirement. The discrepancy creates a window where operators following the documented permission model will misconfigure ACLs, resulting in either overpermissioned or underpermissioned access patterns depending on how operators interpret the conflicting signals.

Business impact

For organizations running Apache Kafka with security-sensitive deployments, this vulnerability creates operational risk around access control reliability. Teams that configured ACLs based on the official documentation are potentially running with incorrect security postures without realizing it. This could mean sensitive consumer group metadata (offsets, lag, member information) is either accessible to unauthorized users or blocked from authorized applications. In environments where Kafka serves multiple internal teams or external customers, ACL misconfiguration can lead to either compliance violations (unintended data exposure) or availability issues (legitimate applications unable to query group status). The risk is amplified in large, federated Kafka deployments where ACL configuration may not be actively reviewed.

Affected systems

All versions of Apache Kafka are affected by this documentation-implementation gap. The scope includes all deployments where ACL-based access controls are configured based on the official Kafka documentation or KIP-848. Organizations using Kafka's SASL/ACL authorization model are directly impacted; those relying on network segmentation or no authentication controls may not face immediate risk but should still review their baseline ACL strategy. The CONSUMER_GROUP_DESCRIBE API is used by monitoring tools, admin clients, and applications that need to inspect consumer group state, making this relevant to a broad set of Kafka users.

Exploitability

Exploitation does not involve active attack or code injection. Instead, the vulnerability manifests through misconfiguration. An attacker with legitimate Kafka credentials but overly broad DESCRIBE permissions could read sensitive consumer group metadata if ACLs were set based on the incorrect documentation. Conversely, operators following documented guidance might inadvertently lock out monitoring or application workloads. The CVSS score of 4.3 (Medium) reflects that exploitation requires authentication (PR:L) and results in limited confidentiality impact (C:L), but is straightforward once ACLs are misconfigured. No sophisticated techniques or zero-day exploitation methods are involved.

Remediation

Apache Kafka will update its official documentation and KIP-848 to clarify that CONSUMER_GROUP_DESCRIBE requires DESCRIBE GROUP permission, aligning documentation with the actual code behavior. Operators should conduct an immediate audit of ACLs granting READ or DESCRIBE permissions on consumer groups and verify they match organizational security intent. Review which users and service accounts have DESCRIBE permissions on groups and confirm those grants follow the principle of least privilege. For deployments where documentation-based ACLs were deployed, reconfigure any overly broad permissions and test that legitimate workloads can still query group metadata after tightening controls.

Patch guidance

Kafka operators should await and apply the documentation updates from the Apache Kafka project to resolve the guidance misalignment. No code patch is required because the implementation is already correct. The remediation is operational: audit and reconfigure ACLs to match the corrected documentation. Check the official Apache Kafka security advisory and release notes for the version in which documentation corrections are published, then update your internal runbooks and IAM configuration guidance to reflect DESCRIBE GROUP as the correct permission model for CONSUMER_GROUP_DESCRIBE operations.

Detection guidance

Review existing Kafka ACL configurations, specifically those granting READ or DESCRIBE permissions on consumer groups. Cross-reference against your security policies and principle-of-least-privilege baselines. Audit logs showing CONSUMER_GROUP_DESCRIBE API calls can be correlated with ACL assignments to identify whether the actual permissions in force match your security intent. If using Kafka's audit logging or a Kafka client wrapper, inspect which principals are calling the CONSUMER_GROUP_DESCRIBE operation and verify those principals should have group metadata visibility. Pay special attention to monitoring and observability pipelines, as they often have broad read permissions that may or may not be documented correctly.

Why prioritize this

This vulnerability should be prioritized as a configuration-review task rather than an emergency patch. Its Medium severity reflects that it requires prior authentication and affects confidentiality without enabling further lateral movement. However, in organizations with strict least-privilege policies or regulated environments (finance, healthcare), the risk of ACL misconfiguration warrants expedited review. Prioritize this if your Kafka deployment handles sensitive data (PII, financial records) or supports compliance-critical workloads. Organizations with minimal data sensitivity or in development/test environments can schedule remediation during normal change cycles.

Risk score, explained

The CVSS 3.1 score of 4.3 (Medium) reflects: Attack Vector Network (AV:N) because Kafka is typically accessed over the network; Attack Complexity Low (AC:L) because once misconfigured, exploitation is straightforward; Privileges Required (PR:L) indicating an authenticated user is needed; User Interaction None (UI:N) as no user action is required; Scope Unchanged (S:U); Confidentiality Low (C:L) since unauthorized access to group metadata is possible but not catastrophic; Integrity None (I:N) and Availability None (A:N). The score does not account for the operational friction of actually discovering and fixing misconfigured ACLs, which may be underestimated in mature security environments.

Frequently asked questions

Does this affect Kafka deployments that don't use ACL-based authorization?

No. Deployments relying on network segmentation, Kerberos, or other authentication models without Kafka's native ACL layer are not directly vulnerable. However, all Kafka operators should verify their authorization model matches their security architecture.

Do I need to patch my Kafka cluster immediately?

No code patch is required because the Kafka implementation is correct. You should audit your ACLs to ensure they align with the principle of least privilege and match the corrected documentation. Apply documentation updates when released by Apache Kafka.

How do I know if my ACLs are misconfigured?

Review your Kafka ACL rules granting READ or DESCRIBE permissions on consumer groups. Compare those rules against your security policy. If users have DESCRIBE permissions they shouldn't, or if legitimate monitoring tools are blocked, your ACLs may have been misconfigured based on the incorrect documentation.

What groups or topics are most at risk?

Consumer groups handling sensitive data—such as those processing PII, payment information, or compliance-critical logs—are highest priority. Also review ACLs for internal service accounts with broad DESCRIBE permissions, as these often inherit overpermissioned legacy configurations.

This analysis is based on the CVE record and Apache Kafka vulnerability disclosure as of June 2026. Verify all patch versions, affected versions, and remediation steps against the official Apache Kafka security advisory and your vendor documentation. This is not legal or compliance advice; organizations in regulated industries should consult with their security and compliance teams. No exploit code or weaponized tooling is provided. The assessment assumes standard Kafka deployment configurations; air-gapped or heavily customized deployments may have different risk profiles. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).