CVE-2026-27134: Strimzi: All CAs from a custom CA chain consisting of multiple CAs are trusted for mTLS user autentication
Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. In versions 0.49.0 through 0.50.0, when using a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs, Strimzi incorrectly configures the trusted certificates for mTLS authentication on the internal as well as user-configured listeners. All CAs from the CA chain will be trusted. And users with certificates signed by any of the CAs in the chain will be able to authenticate. This issue affects only users using a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs. It does not affect users using the Strimzi-managed Cluster and Clients CAs. It also does not affect users using custom Cluster or Clients CA with only a single CA (i.e., no CA chain with multiple CAs). This issue has been fixed in version 0.50.1. To workaround this issue, instead of providing the full CA chain as the custom CA, users can provide only the single CA that should be used.
Security readout for executives and security teams
Plain-English summary
This flaw can weaken Kafka client or internal mTLS authentication in specific Strimzi deployments. If a custom multi-CA chain is used, Strimzi may trust every CA in that chain, letting certificates from unintended CAs authenticate. Deployments using Strimzi-managed CAs or a single custom CA are not affected.
Executive priority
Treat as high priority for Kafka platforms using custom certificate chains. It is not a blanket Strimzi emergency, but affected clusters should be upgraded or reconfigured promptly because authentication trust boundaries may be broader than intended.
Technical view
Strimzi Kafka Operator 0.49.0 through 0.50.0 incorrectly configures trusted certificates for custom Cluster or Clients CAs with multistage CA chains. Internal and user-configured listeners may trust all CAs in the chain, affecting mTLS authentication. The issue maps to CWE-287, CWE-295, and CWE-296. Version 0.50.1 fixes it.
Likely exposure
Exposure is limited to Strimzi 0.49.0 through 0.50.0 deployments using a custom Cluster or Clients CA containing multiple CAs. It is unlikely where Strimzi-managed CAs are used, or where the custom CA material contains only one CA.
Exploitation context
The source bundle does not show active exploitation, and KEV is false. Exploitation would require a deployment with the affected custom CA chain design and a certificate signed by a CA in that chain that should not authenticate.
Researcher notes
The key condition is custom multistage CA chains, not Strimzi-managed CA usage. The CVSS vector is network-accessible with high complexity and no privileges or user interaction. Public sources name the fixed version and workaround, but do not provide evidence of in-the-wild exploitation.
Mitigation direction
Upgrade Strimzi Kafka Operator to version 0.50.1 or later.
If upgrade is delayed, configure only the intended single custom CA.
Review custom Cluster and Clients CA material for multi-CA chains.
Monitor vendor advisories for any additional Red Hat or Strimzi guidance.
Validation and detection
Inventory Strimzi Kafka Operator versions across Kubernetes and OpenShift clusters.
Check whether custom Cluster or Clients CAs are configured.
Confirm whether custom CA secrets contain multiple CA certificates.
Verify affected listeners use corrected trust configuration after upgrade or workaround.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-287: Credential and account abuse lookup
Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
5Timeline events
2ADP providers
6Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-287 · source CWE mapping
Improper Authentication
Improper Authentication represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Improper Certificate Validation represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Improper Following of a Certificate's Chain of Trust
Improper Following of a Certificate's Chain of Trust represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.