Unchecked Input for Loop Condition Affecting kafka-python package, versions [,2.2.20)[2.3.0,2.3.2)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Social Trends
Exploit Maturity
Proof of Concept
EPSS
0.52% (41st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-KAFKAPYTHON-17320566
  • published12 Jun 2026
  • disclosed10 Jun 2026
  • creditKatriel Moses

Introduced: 10 Jun 2026

NewCVE-2026-10143  (opens in a new tab)
CWE-606  (opens in a new tab)

How to fix?

Upgrade kafka-python to version 2.2.20, 2.3.2 or higher.

Overview

kafka-python is a Pure Python client for Apache Kafka

Affected versions of this package are vulnerable to Unchecked Input for Loop Condition in the SCRAM authentication handling. An attacker can cause the client's event loop to freeze by supplying an excessively large iteration count during authentication, which can prevent critical operations such as sending messages, polling for new messages, and maintaining heartbeats, ultimately resulting in consumer group eviction and persistent connection failures.

CVSS Base Scores

version 4.0
version 3.1