<Vulnerability name="CVE-2026-57915">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-06-26T12:09:54</PublicDate>
    <Bugzilla id="2493407" url="https://bugzilla.redhat.com/show_bug.cgi?id=2493407" xml:lang="en:us">
Apache Kerby: org.apache.kerby/kerb-server: Apache Kerby: Kerberos pre-authentication bypass via unrecognized PA-DATA
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>7.3</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-358</CWE>
    <Details xml:lang="en:us" source="Mitre">
It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended to upgrade to version 2.1.2, which fixes this issue.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Apache Kerby. An attacker can bypass the Kerberos pre-authentication check by sending a Pre-Authentication Data (PA-DATA) packet with an unrecognized or unsupported type. This vulnerability allows an attacker to circumvent the initial authentication step, potentially leading to unauthorized access or impersonation within a Kerberos-protected environment.
    </Details>
    <Statement xml:lang="en:us">
This is an Important flaw in Apache Kerby, affecting Red Hat products that utilize Kerberos for authentication, including Red Hat AMQ, JBoss Data Grid, Enterprise Application Platform, and Red Hat JBoss Fuse. The vulnerability allows an attacker to bypass the Kerberos pre-authentication check by sending a specially crafted Pre-Authentication Data (PA-DATA) packet. This circumvents an initial authentication step, potentially leading to unauthorized access or impersonation within a Kerberos-protected environment.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:amq_clients:2023">
        <ProductName>Red Hat AMQ Clients</ProductName>
        <FixState>Affected</FixState>
        <PackageName>kerb-server</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_data_grid:8">
        <ProductName>Red Hat Data Grid 8</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>kerb-server</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_data_grid:8">
        <ProductName>Red Hat Data Grid 8</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>kerb-server-api-all</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_fuse:7">
        <ProductName>Red Hat Fuse 7</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>kerb-server</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jbosseapxp">
        <ProductName>Red Hat JBoss Enterprise Application Platform Expansion Pack</ProductName>
        <FixState>Affected</FixState>
        <PackageName>kerb-server</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jbosseapxp">
        <ProductName>Red Hat JBoss Enterprise Application Platform Expansion Pack</ProductName>
        <FixState>Affected</FixState>
        <PackageName>kerb-server-api-all</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:amq_streams:2">
        <ProductName>streams for Apache Kafka 2</ProductName>
        <FixState>Affected</FixState>
        <PackageName>kerb-server</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:amq_streams:3">
        <ProductName>streams for Apache Kafka 3</ProductName>
        <FixState>Affected</FixState>
        <PackageName>kerb-server</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-57915
https://nvd.nist.gov/vuln/detail/CVE-2026-57915
https://lists.apache.org/thread/1y3glgh3kzwoxo5m2lq504cjlh1dsrfh
    </References>
</Vulnerability>