CVE-2026-27134: Strimzi can trust all CAs in a multi-CA chain for mTLS authentication

What happened

A new High-severity vulnerability (CVSS 8.1) was published for Strimzi (CVE-2026-27134). In Strimzi versions 0.49.0 through 0.50.0, when a custom Cluster CA or Clients CA is configured as a multi-stage CA chain containing multiple CAs, Strimzi incorrectly trusts all CAs in that chain for mTLS authentication. As a result, a client certificate signed by any CA in the supplied chain may be accepted for authentication.

Who is impacted

• Strimzi users running 0.49.0–0.50.0.
• Deployments that use a custom Cluster CA or Clients CA provided as a CA chain with multiple CAs.
• Impact can apply to internal listeners (broker replication and control-plane communications) and to user-configured listeners that use TLS client authentication (mTLS).
• Not impacted: users of Strimzi-managed CAs, or custom CA setups that provide only a single CA (no multi-CA chain).

What to do now

• Upgrade Strimzi to 0.50.1 (or later) to pick up the fix.
• If you cannot upgrade immediately, use the documented workaround: provide only the single CA that should be trusted, not the full multi-CA chain.
• Review any mTLS client certificates issued from intermediate/alternate CAs in your chain, and consider re-issuing/rotating certificates if unintended trust could have existed in your environment.

Additional Information

• CVSS v3.1 vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (base score 8.1, High).
• Weakness classifications: Improper Authentication (CWE-287), Improper Certificate Validation (CWE-295), and Improper Following of a Certificate's Chain of Trust (CWE-296).
• Upstream reference: GitHub Security Advisory GHSA-2qwx-rq6j-8r6j (linked from the CVE record).