CVE-2026-25999 HIGH

CVE-2026-25999: Klaw has an improper authorisation check on /resetMemoryCache

Vendor Aiven-Open
Product klaw
Weakness CWE-285
Published February 11, 2026
Last update February 12, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

What the vulnerability does

01Description

Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to 2.10.2, there is an improper access control vulnerability that allows unauthorized users to trigger a reset or deletion of metadata for any tenant. By sending a crafted request to the /resetMemoryCache endpoint, an attacker can clear cached configurations, environments, and cluster data. This vulnerability is fixed in 2.10.2.

Key dates

02Disclosure timeline

February 11, 2026 CVE published
February 12, 2026 Record updated