HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-10143Published Modified CNA VulnCheck

CVE-2026-10143: kafka-python prior to 2.3.2 DoS via SCRAM Iteration Count in scram.py

kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling that allows a malicious or machine-in-the-middle broker to freeze the client event loop by supplying an excessively large iteration count. In scram.py, ScramClient.process_server_first_message() passes the broker-controlled SCRAM iteration count directly to hashlib.pbkdf2_hmac() without validation, blocking producer sends, consumer polls, admin operations, and heartbeats, which can cause consumer group eviction and repeated reconnect failures.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
2.3.2
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A denial-of-service vulnerability exists in the SCRAM authentication handling of kafka-python prior to version 2.3.2. Reachable over the network with no authentication required, the flaw allows a malicious or machine-in-the-middle broker to supply an arbitrarily large SCRAM iteration count that is passed unchecked to a CPU-intensive key-derivation function, freezing the client event loop. Successful exploitation blocks producer sends, consumer polls, admin operations, and heartbeats, leading to consumer group eviction and repeated reconnect failures. A patched-image rebuild at version 2.3.2 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-10143 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against kafka-python package versions in customer registries and CI pipelines, including custom-built images that vendor the library directly.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 severity of 8.7 (HIGH) and weighting it against each environment's per-organization compliance policy. Triage routing can surface actionable findings to the appropriate team inbox inside each customer org based on configured ownership rules.

Available
Patch

A patched-image rebuild pinned to kafka-python 2.3.2 becomes available on HarborGuard as soon as the fix version is confirmed in the upstream feed. For customers who opt into auto-remediation, HarborGuard is capable of triggering a rebuild, running a regression test suite, and opening a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the client over the network, either by operating a malicious broker or by intercepting the client-to-broker connection (machine-in-the-middle).

  • AuthenticationNot required

    No credentials are needed on the attacker side; the malicious payload is delivered as a normal part of the SCRAM handshake before the client authenticates.

  • Victim interactionNot required

    No user action is required; the client triggers the vulnerable code path automatically on each broker connection attempt.

  • Attack complexityDetail

    Exploit conditions are reliable and free of race conditions; supplying an oversized iteration count in the server-first message is sufficient to trigger the blocking behavior.

Blast Radius

  • The client event loop freezes for the duration of the expensive key-derivation computation, making the Kafka client entirely unresponsive.
  • Producer sends and consumer polls are blocked, causing message processing to stall and backlogs to accumulate.
  • Heartbeats to the broker coordinator are missed, triggering consumer group eviction and partition rebalancing.
  • Repeated reconnect attempts replay the same vulnerable code path, causing sustained unavailability rather than a one-time disruption.

How HarborGuard Handles This

Available on HarborGuard: detection coverage for CVE-2026-10143 is active across all scanned environments, matching any image that includes kafka-python below 2.3.2. Where a customer's compliance policy permits auto-remediation, HarborGuard can rebuild the affected image at kafka-python 2.3.2, run regression tests against the rebuilt image, and open a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who have not enabled auto-remediation will see the finding surfaced in their triage queue with the fix version clearly indicated. As a compensating control before patching, teams can apply network policy to restrict which broker endpoints clients are permitted to connect to, reducing the opportunity for a machine-in-the-middle to inject a malicious server-first message.

See how HarborGuard automates this

Fix available

2.3.2
Patch commits
Affected packages
  • Dana Powers / kafka-python
    < 2.3.2 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References