CVE-2026-10143 HIGH

CVE-2026-10143: kafka-python prior to 2.3.2 DoS via SCRAM Iteration Count in scram.py

Vendor Dana Powers

Product kafka-python

Weakness CWE-400

Published June 10, 2026

Last update June 11, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

Description

kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling that allows a malicious or machine-in-the-middle broker to freeze the client event loop by supplying an excessively large iteration count. In scram.py, ScramClient.process_server_first_message() passes the broker-controlled SCRAM iteration count directly to hashlib.pbkdf2_hmac() without validation, blocking producer sends, consumer polls, admin operations, and heartbeats, which can cause consumer group eviction and repeated reconnect failures.

Key dates

Disclosure timeline

June 10, 2026 CVE published

June 11, 2026 Record updated