Overview
To improve the security posture of Confluent Platform, a change was introduced in the Q3 2025 patch releases for versions 7.5.10, 7.6.7, 7.7.5, 7.8.4, 7.9.3, 8.0.1 and 8.1.0. We now realize that this was a breaking change that was not properly communicated, in line with our release standards and did not adhere to our versioning and compatibility guarantees.
Specifically, plaintext connector credentials are not available via the /connectors REST endpoint in these release versions.
Rationale
The availability of plain-text credentials via REST API has been deemed as a security risk that can impact the confidentiality of privileged credentials. In line with industry standards, masking of credentials was implemented as a way to mitigate that security risk.
New Behavior
API response returned by the connector configuration endpoint, will have the connector credentials masked as indicated below:
| Before | After |
|
GET /connectors/{name}/config {"password": "plaintext_database_password"} |
GET /connectors/{name}/config {"password": "*****"} * Note: This is a representative example. Any additional plaintext credentials returned by this API will be masked similarly. |
Impact
This change may break the deployments that use the connect REST API for the state reconciliation, or workflows that extract the connector secrets. This includes the deployments using Confluent Operator (CFK) managing connectors as custom resources (CRs) in Kubernetes.
Resolution Plan
Upgrade Connect Cluster with Confluent Platform to at least 7.5.13, 7.6.10, 7.7.8, 7.8.7, 7.9.6, 8.0.4, 8.1.2 and 8.2.0 which contain a new connect.password.field.masking.disable configuration property to control the masking behaviour, which defaults to false.
The versions listed above also include Confluent for Kubernetes (CFK) reconciliation loop which now work with credential masking enabled. CFK can manage connectors as custom resources (CRs) when you enable credential masking.
See release notes here