Strimzi makes it dead simple to run Apache Kafka on your Kubernetes or OpenShift cluster. But if you’re running versions .47. up to (but not including) .50.1, you’re at risk thanks to CVE-2026-27133. In this post, we’ll walk through the vulnerability, see why it could be dangerous, look at how to check if you’re impacted, and even step through a basic exploit scenario.
What Is CVE-2026-27133?
From Strimzi .47. up to .50.1, when you create a CA chain (that’s a list of multiple Certificate Authority certificates that together say “hey, this certificate is safe!”), Strimzi gets something wrong.
The mistake: Instead of trusting only the last link in the CA chain (which is how most systems do it safely), Strimzi trusts every single CA in the chain by itself.
So what?
It’s like having a manager and her manager above her, but Strimzi treats both as bosses for approvals. In security, only the highest-level CA in the chain (root or final intermediate) should be trusted as the one handing out trust. But Strimzi ended up treating any CA in the chain as good enough.
> 💬 Who’s impacted?
> - Kafka Connect instances using trusted CA chains
> - Kafka MirrorMaker 2 that uses trusted certificates for the *target* Kafka cluster
Why Does This Matter?
With this bug, a Kafka Connect or MirrorMaker deployment might connect and trust a broker presenting a certificate signed by *any* CA in your CA chain—not just the final one you intended.
- A malicious insider (or a compromised CA in the chain) could set up a fake broker that Kafka Connect/MirrorMaker would trust.
- This bypasses normal internal PKI checks and undermines the whole point of having a well-managed CA chain.
Visual Example
# What you wanted:
Root CA -> Intermediate CA -> Server Cert
Kafka Connect trusts ONLY certificates from Intermediate CA
# What happens with this bug:
Root CA -> Intermediate CA -> Server Cert
Kafka Connect trusts CERTS from Root CA *AND* Intermediate CA (individually!)
Here’s a simplified Java example similar to how bad chain handling happens
// Pseudo-code: how not to build TrustManager with CA chain
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caChainInput = new FileInputStream("ca-chain.pem"); // Contains multiple CA certs
Collection<? extends Certificate> caCerts = cf.generateCertificates(caChainInput);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null, null);
int i = 1;
for (Certificate cert : caCerts) {
ks.setCertificateEntry("ca" + i, cert); // <-- Adds *each* CA in chain individually!
i++;
}
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
What’s Wrong?
When connecting, this TrustManager will accept any certificate signed by *any* of the CAs loaded above.
Used to sign your real Kafka Broker's cert
However, RootCA also signs certificates for other services (or even test/dev environments). An attacker with access to RootCA (or another group in your company who gets RootCA-signed certs) can:
Step 1: Use RootCA to sign a fake Kafka broker certificate
Step 2: Spin up a rogue broker in a place Kafka Connect could reach
Step 3: Kafka Connect (using the affected Strimzi) will trust this fake broker by mistake, because it trusts both RootCA and IntermediateCA individually!
Potential Impact:
1. Create a test CA chain
# Root CA
openssl req -x509 -new -nodes -keyout root.key -out root.pem -days 365 -subj "/CN=RootCA"
# Intermediate CA
openssl req -new -nodes -keyout inter.key -out inter.csr -subj "/CN=IntermediateCA"
openssl x509 -req -in inter.csr -CA root.pem -CAkey root.key -CAcreateserial -out inter.pem -days 365
# Server Cert signed by Intermediate
openssl req -new -nodes -keyout server.key -out server.csr -subj "/CN=real-broker"
openssl x509 -req -in server.csr -CA inter.pem -CAkey inter.key -CAcreateserial -out server.pem -days 365
# Fake Broker signed by Root (this should not be trusted, but will be)
openssl req -new -nodes -keyout fake.key -out fake.csr -subj "/CN=fake-broker"
openssl x509 -req -in fake.csr -CA root.pem -CAkey root.key -CAcreateserial -out fake.pem -days 365
2. Build ca-chain.pem for Strimzi
cat root.pem inter.pem > ca-chain.pem
4. Start a Kafka Connect instance
Connect will accept both real-broker (signed by IntermediateCA) and fake-broker (signed by RootCA), even though it shouldn’t.
Mitigation & Fix
Upgrade immediately to Strimzi .50.1 or newer.
The fix ensures only the last CA in the chain is trusted for server certificate verification.
Check if non-intermediate CAs could have signed any other certificates you do not want trusted.
- Rotate/redeploy new certificates if you suspect compromise.
References
- Strimzi advisory on CVE-2026-27133 *(replace with actual link, if present)*
- Strimzi .50.1 Release Notes
- Disclosure thread on GitHub
- How CA Chains Work in TLS
- How to use Strimzi in secure mode
Bottom Line
If you’re running Strimzi and use certificate chains to secure your Kafka cluster, check your version right now.
This is a classic bug: easy to overlook, hard to spot just by reading configs, but with potentially huge consequences.
Don’t let a misplaced certificate ruin your day—patch now.
Timeline
Published on: 02/20/2026 22:38:27 UTC
Last modified on: 02/20/2026 23:16:02 UTC