Skip to main content


Security advisories


  • 2022-01-31 CVE-2021-41571 Pulsar Admin API allows access to data from other tenants using getMessageById API
  • 2022-09-22 CVE-2022-24280 Apache Pulsar Proxy target broker address isn't validated
  • 2022-09-22 CVE-2022-33681 Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM
  • 2022-09-22 CVE-2022-33682 Disabled Hostname Verification makes Brokers, Proxies vulnerable to MITM attack
  • 2022-09-22 CVE-2022-33683 Disabled Certificate Validation makes Broker, Proxy Admin Clients vulnerable to MITM attack
  • 2022-11-03 CVE-2022-33684 Apache Pulsar C++/Python OAuth Clients prior to 3.0.0 were vulnerable to an MITM attack due to Disabled Certificate Validation


  • 2021-05-25 CVE-2021-22160 Authentication with JWT allows use of "none"-algorithm

Security Policy

The Pulsar community follows the ASF security vulnerability handling process.

To report a new vulnerability you have discovered, please follow the ASF security vulnerability reporting process. To report a vulnerability for Pulsar, contact the Apache Security Team. When reporting a vulnerability to, you can copy your email to to send your report to the Apache Pulsar Project Management Committee. This is a private mailing list.

It is the responsibility of the security vulnerability handling project team (Apache Pulsar PMC in most cases) to make public security vulnerability announcements. You can follow announcements on the mailing list. For instructions on how to subscribe, please see