CVE-2026-57915
HIGH 7.3It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended to upgrade to version 2.1.2, which fixes this issue.
ELEVATED IMPACT
Severe if exploited (CVSS 7.3), but no known exploitation and low modeled probability. Patch on a normal cadence.
Exploitation likelihood
0.3%chance of exploitation in 30 days · 24th percentile
○ In CISA KEV
○ Public exploit / PoC
Impact if exploited
7.3CVSS 3.1 · HIGH
- ConfidentialityLow
- IntegrityLow
- AvailabilityLow
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ✓Privileges: No account or privileges required
- ✓User interaction: No user interaction needed
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Affected
Vendors Apache Software Foundation Red Hat
Products Apache Kerby Red Hat Amq Clients Red Hat Jboss Enterprise Application Platform Expansion Pack Streams For Apache Kafka 2 Streams For Apache Kafka 3 Red Hat Data Grid 8 Red Hat Fuse 7
Weakness (CWE)
- CWE-304
- CWE-358
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L