There is a small timing window in SimpleAclAuthorizer where ACL updates may be lost if two brokers create ACLs for a resource at the same time.
Scenario: Administrator creates new.topic and sends one ACL request to add ACL for UserA for new.topic and a second request to add ACL for UserB for new.topic using AdminClient. These requests may be sent to different brokers by AdminClient. In most cases, both ACLs are added for the resource new.topic, but there is a small timing window where one broker may overwrite the ACL written by the other broker, resulting in only one of the ACLs (either UserA or UserB) being actually stored in ZooKeeper. The timing window itself is very small, but we have seen intermittent failures in SimpleAclAuthorizerTest.testHighConcurrencyModificationOfResourceAcls as a result of this window.
Even though this issue can result in incorrect ACLs affecting security, we have not raised this as a security vulnerability since this is not an exploitable issue. ACLs can only be set by privileged users in Kafka who have Alter access on the Cluster resource. Users without this privileged access cannot use this issue to gain additional access to any resource.