Apache - Apache Kafka - CRITICAL - CVE-2026-33557. A security vulnerability in Apache Kafka arises from the default configuration of the property `sasl.oauthbearer.jwt.validator.class`, which permits the acceptance of any JWT token without proper signature, issuer, or audience validation. This could allow an attacker to craft a JWT token with a `preferred_username` claim arbitrary user and be accepted by the broker. To mitigate the risk, users of Kafka versions 4.1.0 and 4.1.1 should change the setting to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator`, which securely validates JWT tokens. Subsequent releases, starting from version 4.1.2, have rectified this issue by incorporating proper validation measures.