products / apache_pulsar

Apache Pulsar

Apache Pulsar is a cloud-native, distributed messaging and streaming platform maintained by the Apache Software Foundation, which acts as a CNA. It is increasingly used as a Kafka alternative in AI data pipelines. CVE history includes authentication bypass vulnerabilities in the WebSocket Proxy and broker authorization issues.

api usage

Querying Apache Pulsar

product slugapache_pulsar

version format3.1.0, 2.11.1, 2.10.4

bash

curl "https://api.attestd.io/v1/check?product=apache_pulsar&version=2.11.0" \
  -H "Authorization: Bearer $ATTESTD_KEY"

Pulsar 2.11.0 is affected by CVE-2023-37544 (WebSocket Proxy authentication bypass). Expect risk_state: "critical".

json

{
  "product": "apache_pulsar",
  "version": "2.11.0",
  "supported": true,
  "risk_state": "critical",
  "risk_factors": [
    "authentication_bypass",
    "no_authentication_required",
    "internet_exposed_service",
    "patch_available"
  ],
  "actively_exploited": false,
  "remote_exploitable": true,
  "authentication_required": false,
  "patch_available": true,
  "fixed_version": "2.11.2",
  "confidence": 0.82,
  "cve_ids": ["CVE-2023-37544"],
  "last_updated": "2026-02-23T18:21:30Z"
}

safe version

Apache Pulsar 3.1.0 has no known relevant vulnerabilities at the time of the last synthesis run.

bash

curl "https://api.attestd.io/v1/check?product=apache_pulsar&version=3.1.0" \
  -H "Authorization: Bearer $ATTESTD_KEY"

notable cves

CVE history

Pulsar CVEs concentrate in two areas: authentication bypass in proxy components (WebSocket Proxy, broker topic-level policies) and sensitive data exposure in connection handling. The most severe issues require no credentials to exploit the WebSocket Proxy bypass.

CVE	Description	Affects	CVSS
`CVE-2023-37544`	Authentication bypass in the WebSocket Proxy component allows unauthenticated clients to consume messages from any topic.	< 2.10.6, < 2.11.2, < 3.0.1	9.8
`CVE-2023-31007`	Authentication bypass allows unauthenticated message consumption from Pulsar brokers when topic-level policies are used.	< 2.10.4, < 2.11.1	7.5
`CVE-2022-33681`	Man-in-the-middle attack via sensitive data exposure in Pulsar SQL connection parameters.	< 2.9.3, < 2.10.1	8.8

All products Apache Kafka Apache ActiveMQ Response Field Reference