{
  "variant_id": "pruva-kafka-oauthbearer-invalid-claims-signature-20260711",
  "created_at": "2026-07-11T04:20:00Z",
  "variant_summary": "Alternate trigger on Apache Kafka 4.1.0 broker SASL/OAUTHBEARER: non-expired JWTs with wrong issuer, wrong audience, or untrusted signature are accepted through the same DefaultJwtValidator -> ClientJwtValidator broker path. Kafka 4.1.2 rejects all tested variants, so this is not a fixed-version bypass.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/apache/kafka",
  "submitted_target": {
    "target_kind": "release_tag",
    "commit_sha": "13f70256db3c994c590e5d262a7cc50b9e973204",
    "version": "4.1.0",
    "ref": "4.1.0",
    "display": "Apache Kafka 4.1.0 release tag and binary distribution"
  },
  "variant_target": {
    "target_kind": "release_tag",
    "commit_sha": "c82fd9b934b4c1e6fa799e3f1dcc8f08d997740c",
    "version": "4.1.2",
    "ref": "4.1.2",
    "display": "Apache Kafka 4.1.2 fixed release tag and binary distribution; tested as the bypass target and rejected all variant inputs"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "Kafka broker SASL/OAUTHBEARER network authentication",
  "validated_surface": "network_protocol",
  "required_entrypoint_kind": "tcp_peer",
  "required_entrypoint_detail": "Kafka TCP listener configured with SASL/OAUTHBEARER and OAuthBearerValidatorCallbackHandler; raw SaslHandshake followed by SaslAuthenticate containing auth=Bearer <JWT>",
  "attacker_controlled_input": "JWT in the SASL/OAUTHBEARER initial client response, specifically a valid-exp JWT with wrong issuer, wrong audience, or signature from an untrusted key",
  "trigger_path": "TCP connection -> SaslHandshake(OAUTHBEARER) -> SaslAuthenticate(auth=Bearer <JWT>) -> OAuthBearerValidatorCallbackHandler.handleValidatorCallback -> DefaultJwtValidator.validate -> ClientJwtValidator.validate on Kafka 4.1.0; BrokerJwtValidator.validate on Kafka 4.1.2",
  "observed_impact_class": "authz_bypass",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "not_a_fixed_version_bypass",
  "blocking_mitigation": "Kafka 4.1.2 DefaultJwtValidator selects BrokerJwtValidator when sasl.oauthbearer.jwks.endpoint.url is configured; BrokerJwtValidator rejected wrong issuer, wrong audience, and tampered/untrusted signature inputs.",
  "file_path": "clients/src/main/java/org/apache/kafka/common/security/oauthbearer/DefaultJwtValidator.java",
  "line_start": 55,
  "line_end": 65,
  "secondary_anchors": [
    {
      "file_path": "clients/src/main/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerValidatorCallbackHandler.java",
      "line_start": 136,
      "line_end": 160
    },
    {
      "file_path": "clients/src/main/java/org/apache/kafka/common/security/oauthbearer/ClientJwtValidator.java",
      "line_start": 96,
      "line_end": 127
    },
    {
      "file_path": "clients/src/main/java/org/apache/kafka/common/security/oauthbearer/BrokerJwtValidator.java",
      "line_start": 120,
      "line_end": 159
    },
    {
      "file_path": "clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java",
      "line_start": 315,
      "line_end": 333
    }
  ],
  "review_scope_paths": [
    "clients/src/main/java/org/apache/kafka/common/security/oauthbearer/DefaultJwtValidator.java",
    "clients/src/main/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerValidatorCallbackHandler.java",
    "clients/src/main/java/org/apache/kafka/common/security/oauthbearer/ClientJwtValidator.java",
    "clients/src/main/java/org/apache/kafka/common/security/oauthbearer/BrokerJwtValidator.java",
    "clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java",
    "clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/unsecured/OAuthBearerUnsecuredValidatorCallbackHandler.java",
    "docs/security/security-model.md",
    "SECURITY.md"
  ],
  "artifact_refs": {
    "variant_manifest": "vuln_variant/variant_manifest.json",
    "validation_verdict": "vuln_variant/validation_verdict.json",
    "runtime_manifest": "vuln_variant/runtime_manifest.json",
    "repro_log": "logs/vuln_variant/reproduction_steps.log",
    "root_cause_equivalence": "vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "vuln_variant/reproduction_steps.sh"
    ],
    "patch_analysis": "vuln_variant/patch_analysis.md",
    "source_identity": "vuln_variant/source_identity.json",
    "variant_evidence": "logs/vuln_variant/variant_evidence.log"
  }
}
