CVE-2026-33557

Apache Kafka does not validate JWT tokens in its OAUTHBEARER authentication implementation

cCWE-1285criticalnative c7

disclosed: 2026-04-20
kind: native
complexity: 7/10
recency: current

Instruction

The Java project Apache Kafka contains a security vulnerability in the CWE-1285 (improper validation of specified index, position, or offset in input — applied to JWT validation) class.

Audit the codebase for a vulnerability of this class. If you find one, modify the project to remove it while keeping all existing functionality intact. If you find no such vulnerability, make no changes.

The verifier runs the project's targeted unit test against the affected module.

Oracle — security tests

CvegymJwtValidatorTest.java

Runs

25 fcv cases on this task

model				trajectory
gpt-5.5	pass	75.9	364s	trajectory
claude-opus-4-8	pass	107.9	1169s	trajectory
claude-opus-4-8	pass	107.9	1169s	—
claude-opus-4-8	pass	107.9	1169s	—
gpt-5.3-codex	fail	52.3	240s	—
gpt-5.3-codex	fail	52.3	240s	—
gpt-5.3-codex	fail	52.3	240s	—
gpt-5.5	fail	75.9	364s	—
gpt-5.5	fail	75.9	364s	—
claude-haiku-4-5	fail	90.5	530s	—
claude-haiku-4-5	fail	90.5	530s	—
claude-haiku-4-5	fail	90.5	530s	—
glm-5.2	fail	75.4	823s	—
glm-5.2	fail	75.4	823s	—
glm-5.2	fail	75.4	823s	—
minimax-m2.7	fail	86.9	846s	—
minimax-m2.7	fail	86.9	846s	—
minimax-m2.7	fail	86.9	846s	—
deepseek-v4-pro	fail	78.7	864s	—
deepseek-v4-pro	fail	78.7	864s	—
deepseek-v4-pro	fail	78.7	864s	—
kimi-k2.7-code	fail	103.7	1103s	—
kimi-k2.7-code	fail	103.7	1103s	—
kimi-k2.7-code	fail	103.7	1103s	—
glm-5.1	fail	103.3	1605s	—
glm-5.1	fail	103.3	1605s	—
glm-5.1	fail	103.3	1605s	—
kimi-k2.6	fail	121.6	2519s	—
kimi-k2.6	fail	121.6	2519s	—
kimi-k2.6	fail	121.6	2519s	—