{
  "same_root_cause": true,
  "confidence": "high",
  "parent_trigger": "Expired JWT replay accepted by Kafka 4.1.0 broker SASL/OAUTHBEARER path because DefaultJwtValidator delegated to ClientJwtValidator.",
  "variant_triggers": [
    "Non-expired JWT with wrong issuer accepted by Kafka 4.1.0 broker SASL/OAUTHBEARER path.",
    "Non-expired JWT with wrong audience accepted by Kafka 4.1.0 broker SASL/OAUTHBEARER path.",
    "Non-expired JWT signed by an untrusted key accepted by Kafka 4.1.0 broker SASL/OAUTHBEARER path."
  ],
  "shared_sink": "OAuthBearerValidatorCallbackHandler.handleValidatorCallback -> DefaultJwtValidator.validate -> ClientJwtValidator.validate on Kafka 4.1.0",
  "fixed_path": "OAuthBearerValidatorCallbackHandler.handleValidatorCallback -> DefaultJwtValidator.validate -> BrokerJwtValidator.validate on Kafka 4.1.2 when sasl.oauthbearer.jwks.endpoint.url is configured",
  "trust_boundary": "Untrusted network peer to Kafka broker SASL/OAUTHBEARER listener",
  "why_equivalent": "All triggers rely on the same incorrect delegate selection in Kafka 4.1.0: a secured broker callback handler with JWKS configured still uses ClientJwtValidator, which parses claims without enforcing broker-grade JWT validation properties. The tested fixed version routes the same inputs to BrokerJwtValidator and rejects them.",
  "bypass_status": "not_a_bypass; fixed target rejected all tested variants"
}
