Intel

AIKIDO-2026-235792

confluent-kafka is vulnerable to Improper Certificate Validation

Improper Certificate Validation Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 6 days ago

45

Medium Risk

This Affects:

PYTHONconfluent-kafka
2.6.2 - 2.14.2
Fixed in 2.15.0
Are you affected? Scan for Free

TL;DR

The HashiCorp Vault KMS driver used by Schema Registry Client-Side Field Level Encryption builds its hvac.Client with TLS certificate verification disabled. The HcVaultKmsClient hard-coded verify=False, so connections to Vault never validated the server certificate, and a later _get_verify change still treated an empty ssl.ca.location / VAULT_CACERT value as verification off. A network attacker able to intercept traffic to Vault could impersonate the server, capture the Vault token, and read or tamper with wrapped key-encryption-key material. The fix wires a computed verify (defaulting to True) and optional client cert into hvac.Client and treats empty CA values as unconfigured.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and use the HashiCorp Vault KMS driver for Schema Registry encryption (CSFLE) rules.

Background info

confluent-kafka is vulnerable to Improper Certificate Validation in versions 2.6.2 - 2.14.2.

How to fix this

Upgrade the confluent-kafka library to the patch version.