LiveActive security incident?Get immediate response
CVE Record

CVE-2026-27134: Strimzi: All CAs from a custom CA chain consisting of multiple CAs are trusted for mTLS user autentication

Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. In versions 0.49.0 through 0.50.0, when using a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs, Strimzi incorrectly configures the trusted certificates for mTLS authentication on the internal as well as user-configured listeners. All CAs from the CA chain will be trusted. And users with certificates signed by any of the CAs in the chain will be able to authenticate. This issue affects only users using a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs. It does not affect users using the Strimzi-managed Cluster and Clients CAs. It also does not affect users using custom Cluster or Clients CA with only a single CA (i.e., no CA chain with multiple CAs). This issue has been fixed in version 0.50.1. To workaround this issue, instead of providing the full CA chain as the custom CA, users can provide only the single CA that should be used.

HighCVSS 8.1Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This flaw can weaken Kafka client or internal mTLS authentication in specific Strimzi deployments. If a custom multi-CA chain is used, Strimzi may trust every CA in that chain, letting certificates from unintended CAs authenticate. Deployments using Strimzi-managed CAs or a single custom CA are not affected.

Executive priority

Treat as high priority for Kafka platforms using custom certificate chains. It is not a blanket Strimzi emergency, but affected clusters should be upgraded or reconfigured promptly because authentication trust boundaries may be broader than intended.

Technical view

Strimzi Kafka Operator 0.49.0 through 0.50.0 incorrectly configures trusted certificates for custom Cluster or Clients CAs with multistage CA chains. Internal and user-configured listeners may trust all CAs in the chain, affecting mTLS authentication. The issue maps to CWE-287, CWE-295, and CWE-296. Version 0.50.1 fixes it.

Likely exposure

Exposure is limited to Strimzi 0.49.0 through 0.50.0 deployments using a custom Cluster or Clients CA containing multiple CAs. It is unlikely where Strimzi-managed CAs are used, or where the custom CA material contains only one CA.

Exploitation context

The source bundle does not show active exploitation, and KEV is false. Exploitation would require a deployment with the affected custom CA chain design and a certificate signed by a CA in that chain that should not authenticate.

Researcher notes

The key condition is custom multistage CA chains, not Strimzi-managed CA usage. The CVSS vector is network-accessible with high complexity and no privileges or user interaction. Public sources name the fixed version and workaround, but do not provide evidence of in-the-wild exploitation.

Mitigation direction

  • Upgrade Strimzi Kafka Operator to version 0.50.1 or later.
  • If upgrade is delayed, configure only the intended single custom CA.
  • Review custom Cluster and Clients CA material for multi-CA chains.
  • Monitor vendor advisories for any additional Red Hat or Strimzi guidance.

Validation and detection

  • Inventory Strimzi Kafka Operator versions across Kubernetes and OpenShift clusters.
  • Check whether custom Cluster or Clients CAs are configured.
  • Confirm whether custom CA secrets contain multiple CA certificates.
  • Verify affected listeners use corrected trust configuration after upgrade or workaround.
Prepared
Confidence
high
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-287: Credential and account abuse lookup

Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cwe · low confidence lookup

CWE-295: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cwe · low confidence lookup

CWE-296: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Container behavior lookup

The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-27134 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.1 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
5Timeline events
2ADP providers
6Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.1CVSS 3.1HighCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H2.25.9GitHub_M
8.1CVSS 3.1HighCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H2.25.9redhat-SADP

Vulnerability scoring details

Base CVSS 3.1 score

8.1High
CVSS 3.1 vector shape for CVE-2026-27134Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. ADP timelineredhat-SADP

    Made public.

  3. CVE publishedCVE Program

    The CVE record was published.

  4. ADP timelineredhat-SADP

    Reported to Red Hat.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
redhat-SADPstrimzi-kafka-operator: Strimzi: Unauthorized authentication via misconfigured mTLS CA chain
other:Red Hat severity ratingcvssV3_1
  • 2026-02-21T00:01:56.960Z: Reported to Red Hat.
  • 2026-02-20T23:05:04.320Z: Made public.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
strimzistrimzi-kafka-operator>= 0.49.0, < 0.50.1Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-287 · source CWE mapping

Improper Authentication

Improper Authentication represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

CWE-295 · source CWE mapping

Improper Certificate Validation

Improper Certificate Validation represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

CWE-296 · source CWE mapping

Improper Following of a Certificate's Chain of Trust

Improper Following of a Certificate's Chain of Trust represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.