Security

This page lists all publicly disclosed security vulnerabilities (CVEs) affecting Strimzi components. To report a new vulnerability, please follow the security policy.

CVE-2026-55226 Moderate

Unrestricted access to all Secrets within namespace watched by the Topic operator

When only the Topic or only the User operators are deployed as part of the Entity Operator in the Kafka custom resource, the RBAC rights are not following the principle of least-privilege and the Entity Operator ServiceAccount still has access rights corresponding to both operators. That might allow the ServiceAccount to access KafkaUser custom resources and Secrets when the User operator is not deployed and access KafkaTopic custom resources when the Topic operator is not deployed.

Affected versions	<= 1.0.0
Fixed versions	1.0.1, 1.1.0
Issue announced	17 June 2026
Advisory	https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-r427-j2h7-wv3m

CVE-2026-55225 High

Cross-namespace privilege escalation via Kafka.spec.entityOperator

Having the Topic and User operators to watch different namespaces than the one where the Kafka cluster is deployed, is a fully documented feature. When the watchedNamespace field is used within the Topic or User operator (as part of the Kafka.spec.entityOperator field), the Cluster Operator creates a Role granting full CRUD on Secrets into the specified namespace. It also creates a RoleBinding to bind such Role to the entity operator ServiceAccount within the namespace where the Kafka cluster runs. An attacker can craft a Kafka custom resource (in an attacker's namespace) with the watchedNamespace field set to a target namespace and then they can mint a token for the ServiceAccount (in the attacker's namespace) to read/write Secrets in that target. This is valid with any target namespace for which the Cluster Operator has the rights (regardless the value of the STRIMZI_NAMESPACE environment variable). The at-risk target namespaces are the namespaces which the user has given permissions to the Cluster Operator for, by creating related RoleBinding(s).

Affected versions	<= 1.0.0
Fixed versions	1.0.1, 1.1.0
Issue announced	17 June 2026
Advisory	https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-mw9r-p8xp-wx96

CVE-2026-27134 High

All CAs from a custom CA chain consisting of multiple CAs are trusted for mTLS user authentication

When using a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs, Strimzi incorrectly configures the trusted certificates for mTLS authentication on internal as well as user-configured listeners. All CAs from the CA chain will be trusted, allowing users authenticated by any CA in the chain to connect to the Kafka cluster.

Affected versions	>= 0.49.0
Fixed versions	0.50.1, 0.51.0
Issue announced	19 February 2026
Advisory	https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-2qwx-rq6j-8r6j

CVE-2026-27133 Medium

All CAs from CA chain will be trusted in Kafka Connect and Kafka MirrorMaker 2 target clusters

When a chain consisting of multiple CA certificates is used in the trusted certificates configuration of a Kafka Connect operand or of the target cluster in the Kafka MirrorMaker 2 operand, all of the certificates that are part of the CA chain will be trusted instead of only the leaf CA certificate.

Affected versions	>= 0.47.0
Fixed versions	0.50.1, 0.51.0
Issue announced	19 February 2026
Advisory	https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-6x85-j2f7-4xc5

CVE-2025-66623 High

Unrestricted access to all Secrets in the same Kubernetes namespace from Kafka Connect and MirrorMaker 2 operands

In some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands GET access to all Kubernetes Secrets that exist in the given Kubernetes namespace. This occurs when external listeners with TLS are configured together with Kafka Connect or MirrorMaker 2 with the externalConfiguration option referencing a Secret.