### Impact When only the Topic or only the User operators are deployed as part of the Entity Operator in the `Kafka` custom resource, the…
CWE-269·Published 2026-06-18
### Impact When only the Topic or only the User operators are deployed as part of the Entity Operator in the `Kafka` custom resource, the RBAC rights are not following the principle of least-privilege and the Entity Operator ServiceAccount still has access rights corresponding to both operators. That might allow the ServiceAccount to access `KafkaUser` custom resources and Secrets when the User operator is not deployed and access `KafkaTopic` custom resources when the Topic operator is not deployed. ### Patches The issue is fixed in Strimzi 1.0.1 and 1.1.0. ### Workarounds There is no workaround for this issue.
### Impact When only the Topic or only the User operators are deployed as part of the Entity Operator in the `Kafka` custom resource, the RBAC rights are not following the principle of least-privilege and the Entity Operator ServiceAccount still has access rights corresponding to both operators. That might allow the ServiceAccount to access `KafkaUser` custom resources and Secrets when the User operator is not deployed and access `KafkaTopic` custom resources when the Topic operator is not deployed. ### Patches The issue is fixed in Strimzi 1.0.1 and 1.1.0. ### Workarounds There is no workaround for this issue.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Secondary | GHSA | 5.4 | — | — | CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N |