MEDIUMRemediated

CVE-2026-2211

KRaft metadata log injection via crafted vote request

Technology

Apache Kafka

CVSS Score

6.5 / 10.0

Affected Versions

3.4.0 – 3.6.1

Patched In

OSSeva for Apache Kafka 3.6.2-osseva-1

Published

March 22, 2026

Remediated

April 5, 2026 (1w ago)

Description

In KRaft mode, a malicious broker with network access to the controller can inject entries into the metadata log by sending a crafted Vote request, allowing privilege escalation within a multi-tenant cluster.

Is your Apache Kafka deployment affected?

If you're running 3.4.0 – 3.6.1, you need this patch. Book a discovery call to get covered.

Book a discovery call View Apache Kafka coverage →