Kafbat UI: Review, pricing, and best alternatives in 2026

Key takeaways

• Kafbat is a free, open-source Kafka UI forked from the abandoned Provectus kafka-ui project in early 2024, maintained by community volunteers with no commercial backing and no SLA.
• The tool covers the core Kafka visibility surface well: multi-cluster management, Avro/Protobuf/JSON deserialization, Schema Registry, Kafka Connect, and CEL-based message filtering.
• Regression bugs across minor version upgrades have repeatedly broken Confluent Cloud connectivity and Schema Registry serde auto-selection; many users on v1.3.0 choose to stay there rather than upgrade.
• RBAC is available but shallow: configuration is error-prone and fails silently, with no team namespacing, no per-role data masking override, and no approval workflows.
• For teams that need enterprise-grade access controls, reliable support, and a commercial SLA, Kpow from Factor House is worth evaluating alongside Kafbat.

What is Kafbat?

Kafbat is a web-based UI for Apache Kafka clusters. It is the active continuation of the Provectus kafka-ui project, which paused development in late 2023 and left a critical remote code execution vulnerability unpatched for approximately six months. In early 2024, core contributors led by Roman Zabaluev (GitHub: Haarolean) and germanosin forked the project to kafbat/kafka-ui and released v1.0.0 in March 2024.

The project operates under a GitHub Sponsors model. There is no commercial backer, no paid tier, and no SLA. Development velocity is determined by volunteer contributor interest and the priorities of the core maintainers.

At its core, Kafbat supports multi-cluster management, topic browsing, message inspection with Avro/Protobuf/JSON Schema deserialization, consumer group lag monitoring, Schema Registry integration, Kafka Connect management, and ACL administration. Version 1.3.0 (July 2025) added GCP IAM authentication and MCP (Model Context Protocol) support. Version 1.5.0 introduced live consumer lag updates.

Kafbat review

Functionalities

Kafbat's core visibility features are solid for a free tool. Topic browsing, message inspection, and Schema Registry deserialization work reliably in stable releases. The move from Groovy-based scripting to CEL (Common Expression Language) filters is consistently praised: it removes the Groovy-based RCE risk while giving users a more expressive and readable filter syntax.

That said, the functionality surface has recurring rough edges. Consumer lag accuracy is unreliable when transactional producers are in use: end-of-transaction marker messages are counted in the lag calculation, causing persistently elevated readings that do not reflect actual consumer progress (krumft, GitHub Issue #1039, April 2025). Filtering behaviour under high message volumes has been described as "unstable and unpredictable" (Rajan Gaul, Product Hunt, approximately February 2026). CEL filters are not persisted between sessions, requiring users to re-enter them on every login (GitHub Issue #1401, October 2025).

There is no message replay capability from the UI, and no ability to add brokers, increase partitions, rebalance, or change replica counts from the interface (Zeenia Gupta, Platformatory, September 2024). These are open feature requests rather than bugs, but they matter for teams that need operational tooling, not just observational tooling.

Deployment and operations

Docker deployment is fast: the project is launchable with a single command and accessible at localhost:8080 (Vorrawut Judasri, Medium, October 2024). A Helm chart is actively maintained for Kubernetes deployments, with quick-start documentation available.

The main operational pain point is dynamic cluster configuration in Kubernetes. Users who attempt to add clusters through the UI in a Kubernetes deployment consistently receive 400 Bad Request validation errors. Static YAML configuration works; dynamic configuration does not. Documentation on how to deploy with dynamic config via Helm is described by multiple users as absent or insufficient (RaWqqq8, GitHub Issue #1637, January 2026).

Other operational issues to be aware of:

• Spring Boot 3.4.4 reports unbound properties when cluster config is injected via environment variables, blocking AWS Secrets Manager and similar cloud-native secret patterns (Heniland, GitHub Issue #1045, April 2025).
• The Helm chart cannot mix yamlApplicationConfig with an existing secret, has no extraDeploy support, and does not expose deployment strategy configuration (Helm chart issues #43, #57, #47).
• The default Docker configuration recommends 4 GB RAM minimum, which can catch teams running smaller instances.

Access control and security

Kafbat supports YAML-based RBAC, OAuth2 (Google, GitHub, Azure AD), LDAP/Active Directory, and basic auth. Active Directory support was added in v1.1.0 in response to demand carried over from the Provectus project. Data masking is available with REMOVE, REPLACE, and MASK policies. Audit logging ships as a built-in feature, writing events to a Kafka topic.

In practice, RBAC configuration is error-prone. The most common failure mode is a mismatch between the OAuth token attribute used for subject matching and the email or username format in the RBAC YAML, causing silent permission failures where users cannot see any clusters at all. The project's own FAQ directs users to enable trace logging on io.kafbat.ui.service.rbac.extractor to diagnose the problem (kafbat RBAC FAQ; GitHub Discussion #290, April 2024).

The security record warrants scrutiny for compliance-sensitive teams. CVE-2025-49127 (CVSS 10.0) was introduced in kafbat's own v1.0.0: the application accepted user-provided JMX endpoints without validation, and a 30-second scheduler automatically connected to them, allowing any unauthenticated user to trigger unsafe Java deserialization and execute arbitrary code. It was patched in v1.1.0 (SecureLayer7, July 2025). This follows CVE-2023-52251, an RCE inherited from Provectus that took approximately six months to be patched under the original maintainers.

Further gaps: there is no per-role data masking override (feature requested but not yet implemented; GitHub Issue #1311, September 2025), no team namespacing, no approval workflows, and no policy enforcement layer. The audit log feature is documented but inaccessible to users under RBAC due to a confirmed access denial bug that also generates continuous error spam in the server console (povigg, GitHub Discussion #587, October 2024).

User interface

Kafbat's UI is consistently described as the most modern and visually clean among open-source Kafka UIs, and onboarding is fast for engineers already familiar with Kafka (multiple comparison sources, including Conduktor and Platformatory; Vorrawut Judasri, Medium, October 2024).

The main UX pain points are:

• Filters reset on every session, requiring manual re-entry (GitHub Issue #1401).
• No consumer groups or lag visibility in the Topics list; users must navigate away to find lag context (GitHub Issue #1405).
• The Produce Message sidebar does not retain its "Keep Contents" state between uses (GitHub Issue #1535, November 2025).
• With Kafka 4.x in KRaft mode, the UI shows inconsistent partition leaders on every page refresh because it queries brokers rather than the KRaft quorum controller; at least one user reported nearly aborting a production migration based on the false impression of leadership instability (elielfg, GitHub Issue #1513, November 2025).
• There are no time-series graphs for consumer lag or message throughput; this has been an open feature request since early in the project (GitHub Issue #233).

Ecosystem

Kafbat covers the standard Confluent ecosystem: Schema Registry with Avro, Protobuf, and JSON Schema deserialization, Kafka Connect with connector and task management, and basic ksqlDB. Custom SerDe plugins are available, including an AWS Glue integration. GCP IAM authentication and MCP support were added in v1.3.0 (Release Discussion #1212, Haarolean, July 2025).

Cloud-managed Kafka compatibility has been a recurring problem in recent releases. Confluent Cloud connectivity broke in v1.4.x and v1.5.0 due to a metrics refactor that introduced three unhandled failure modes, leaving the cluster in a permanent INITIALIZING state. v1.3.0 works with the same configuration (miehar, GitHub Issue #1852, May 2026). Schema Registry OAuth2 authentication is not supported, blocking use with services such as Google Managed Schema Registry (GitHub Issue #1575, December 2025). Multiple Schema Registries per cluster are not supported (GitHub Discussion #569, October 2024). Flink integration is not available.

Customer support

Kafbat's primary maintainer, Roman Zabaluev, is actively responsive on GitHub: triage typically happens within days, and there is at least one documented case of an Azure AD RBAC misconfiguration being diagnosed and resolved within 24 hours of the report (GitHub Discussion #290, April 2024). The GitHub Sponsors program offers priority bug handling for sponsors as a formal support incentive.

There is no commercial support tier, no SLA, and no dedicated support queue. Several issues remain open without resolution for months. The audit log RBAC discussion was closed without a confirmed fix for the user who reported it (GitHub Discussion #587, October 2024). For teams that cannot absorb an unresolved incident in production, the absence of an escalation path is a meaningful operational risk.

Best for

Kafbat is well suited to solo engineers and small teams of up to roughly five engineers who need cluster visibility for development or staging environments, are comfortable managing open-source tooling, and are running self-managed Kafka clusters rather than cloud-managed services. It is a practical starting point where budget is the primary constraint and the team can absorb configuration and maintenance overhead.

It is not a strong fit for teams where several engineers share a production cluster and need RBAC at team or namespace granularity, organisations with compliance requirements that depend on a clean server-side audit trail, teams using Confluent Cloud on v1.4.x or later, or any organisation that requires a commercial support channel or SLA.

Kafbat pricing

Kafbat is free and open-source under the Apache 2.0 licence. There is no paid tier and no enterprise edition.

Pricing tiers

Free trial

There is nothing to trial: the full application is freely available. Deployment takes a few minutes via Docker or Kubernetes, with no registration required.

Kafbat competitors and alternatives

The open-source Kafka UI market includes a handful of actively maintained tools, from lightweight read-only viewers to fuller operational consoles. Commercial options offer stronger access controls, vendor support, and broader ecosystem integrations at the cost of licensing fees.

For a broader side-by-side comparison, see Top Kafka UI tools in 2026: a practical comparison for engineering teams.

Frequently asked questions about Kafbat

How much does Kafbat cost, and is there a free tier?

Kafbat is fully free and open-source under Apache 2.0. There is no paid tier. The full application is self-hosted and takes minutes to deploy via Docker or Kubernetes — no account or registration required.

When is Kafbat a better choice than the alternatives?

Kafbat suits small teams and dev environments where budget is the primary constraint and the team can absorb configuration overhead. If you are self-managing Kafka, need basic cluster visibility, and do not require an SLA or enterprise controls, Kafbat is a reasonable starting point.

When are the alternatives a better choice than Kafbat?

When you need team-level RBAC, a reliable audit trail, Confluent Cloud stability, or a commercial support channel. Kafbat has documented gaps in all four areas, and two critical unauthenticated RCEs (both CVSS 10.0) have been disclosed in the project's history.

Is Kafbat secure?

Kafbat has had two CVSS 10.0 vulnerabilities disclosed: one inherited from Provectus, and CVE-2025-49127, which the kafbat team introduced in v1.0.0 and patched in v1.1.0. Running v1.1.0 or later and restricting network access to the UI are the minimum mitigations for production deployments.