CVE Reference
Impacted versions
- Confluent Platform <= 7.1.15, 7.2.13, 7.3.11, 7.4.8, 7.5.7, 7.6.4, 7.7.2, 7.8.1, 7.9.1
- Confluent Cloud managed clusters were impacted through Cluster Linking configurations via OAuth2 Authentication mechanisms. Please note that no security impact was observed for the impacted clusters.
Recommended action
- Upgrade to Confluent Platform >= 7.1.16, 7.2.14, 7.3.12 ,7.4.9, 7.5.8 , 7.6.5 , 7.7.3, 7.8.2, 7.9.2
- Impacted Cloud clusters and associated managed configurations have been patched and no further action is necessary.
Issue
A security vulnerability affecting the Apache Kafka, reported as CVE-2025-27817 has been found to be impacting Confluent Platform and Confluent Cloud via the Cluster Linking functionality when the SASL/OAUTHBEARER configuration is in use.
The issue reported via CVE-2025-27817 refers to a potential arbitrary file read and Server-Side Request Forgery (SSRF) vulnerability in Apache Kafka. This issue stems from the untrusted modifications of kafka client configuration data used for SASL/OAUTHBEARER based connections, specifically the following url configurations are affected:
- sasl.oauthbearer.token.endpoint.url
- sasl.oauthbearer.jwks.endpoint.url
In certain configurations, if Kafka client settings are exposed to untrusted input, there is a risk that an attacker could modify specific URL parameters to access internal IP addresses or local file paths. This could potentially lead to unauthorized file access, exposure of environment variables, or unintended network requests. In some cases, the results of such actions may appear in error logs.
Impact to Confluent Platform
Confluent Platform deployments may be affected if they are running a vulnerable version or have not configured the org.apache.kafka.sasl.oauthbearer.allowed.urls system property to restrict permitted URLs. Exploitation of this vulnerability requires that an untrusted actor has the ability to set or modify Kafka client configurations, which generally assumes privileged levels of access. If successfully exploited, this issue could result in the disclosure of sensitive information from the internal network of the Confluent Platform deployment.
Impact to Confluent Cloud
Confluent Cloud managed dedicated clusters were impacted by this vulnerability when Cluster Linking was configured with OAuth2 authentication.
Remediation
This issue has been addressed in Apache Kafka client versions 3.9.1 and 4.0.0 that introduce a new org.apache.kafka.sasl.oauthbearer.allowed.urls system property. This property allows administrators to define an explicit allowlist of permitted URLs for OAuth token endpoints, helping to prevent connections to unauthorized or internal network locations. In Kafka 3.9.1, the default behaviour allows all URLs to maintain backward compatibility. However, starting with version 4.0.0, the default is an empty allowlist, requiring explicit configuration by administrators.
Confluent Platform: CP versions that incorporate these updates also include support for the org.apache.kafka.sasl.oauthbearer.allowed.urls system property. For customers using affected versions, we recommend explicitly configuring this property with a trusted set of URLs to reduce exposure and mitigate the risk of unauthorized access. Please refer to the links below for specific guidance on setting this property for different contexts:
- https://docs.confluent.io/platform/current/security/authentication/sasl/oauthbearer/configure-clients.html
- https://docs.confluent.io/platform/current/security/authentication/oauth-oidc/configure-connect.html
- https://docs.confluent.io/platform/current/security/authentication/oauth-oidc/configure-cs.html
- https://docs.confluent.io/platform/current/security/authentication/oauth-oidc/configure-rest-proxy.html
Confluent Cloud: Necessary mitigations in the context of managed Confluent Cloud clusters have already been applied and no further remediation action is necessary.
Original CVSS v3.1 Score : 7.5
CVSS v3.1 Calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2025-27817&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N&version=3.1&source=CISA-ADP
Adjusted CVSS v3.1 Score: 4.4
Adjusted CVSS v3.1 Calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/CR:X/IR:X/AR:X/MAV:X/MAC:H/MPR:H/MUI:X/MS:X/MC:X/MI:X/MA:X&version=3.1