Remote code execution flaw reported in Kafbat UI
Take action: If you're using Kafbat UI version 1.0.0, be aware that there's an attack vector that allows attackers to execute code without authentication. Isolate the API endpoints to only be accesible from trusted networks and communicate only with known servers. Disable the dynamic configuration feature by setting DYNAMIC_CONFIG_ENABLED: 'false' in your application configuration and then plan a patch.
Learn More
A security vulnerability is reported in Kafbat UI that allows unauthenticated attackers to execute arbitrary code on affected systems. Kafbat UI is a web-based interface for managing Apache Kafka clusters,
The vulnerability is tracked as CVE-2025-49127 (CVSS score 8.9) and is caused by the application's dynamic cluster configuration feature that accepts user-provided JMX endpoints without proper validation. When administrators configure new Kafka clusters through the dynamic configuration API, the application automatically attempts to establish JMX connections to collect performance metrics from the specified endpoints. The system doesn't validate these endpoints properly, allowing attackers to submit malicious cluster configurations through the /api/config endpoint.
An attacker will send a HTTP PUT requests to the Kafbat UI configuration endpoint with malicious cluster configurations specifying attacker-controlled JMX servers. The application automatically connects to these servers when collecting metrics, triggering the deserialization of malicious payloads.
The vulnerability affects Kafbat UI version 1.0.0.
Organizations using Kafbat UI should upgrade to version 1.1.0 or later. As an mitigating measure, administrators can disable the dynamic configuration feature by setting DYNAMIC_CONFIG_ENABLED: 'false' in their application configuration. This prevents the vulnerable functionality from being accessible while organizations plan their upgrade strategy.
