VDB

GCVE-110-CONFSA-2025-0002

GCVE-110-CONFSA-2025-0002
Advisory Published
Vulnetix · Advisory published November 6, 2025
Impacted versions: All currently available versions of Confluent Platform deployed using the Confluent Operator in SASL Plain mode in the default configuration.  Recommended actions: Upgrade Confluent Operator to versions 2.9.7, 2.10.3,  2.11.3, 3.0.1 or later .  Post upgrade ,follow the steps listed in the remediation section to rotate the weak default hard-coded credential Issue: When a CFK cluster is created using SASL_SSL with the PLAIN mechanism, and no additional JAAS configuration is provided, CFK will silently generate a principal (user) named "operator" with a weak, hardcoded password. Impact to Confluent Platform:  Confluent Platform instances deployed with the Confluent Operator using the default SASL_SSL and PLAIN mechanism configuration are impacted. In this setup, if customers haven’t applied custom security settings, a hardcoded weak password may be present. An attacker with knowledge of the default hard-coded password with network reachability to the broker could gain unauthorized access. A successful attack would result in the compromise of the confidentiality, integrity, and availability of customer data accessible through the brokers. Remediation: Customers should update their running clusters to remove the hardcoded credentials. Please follow the knowledge base article available at Confluent Support Portal .  Applying this fix may require up to two full cluster rolls. CVSS v3.1 Score: 8.0 CVSS v3.1 Calculator:  NVD - CVSS v3.1 Calculator Link

Browse GCVE Records

71,925 records in the GCVE database · Updated July 13, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›