Description
Deserialization of Untrusted Data vulnerability in Apache Storm.

Versions Affected:
before 2.8.6.


Description:
When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.


Mitigation:
2.x users should upgrade to 2.8.6.


Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.

Credit: This issue was discovered by K.
Published: 2026-04-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Apache Storm deserializes a base64‑encoded Kerberos TGT blob from topology credentials using ObjectInputStream.readObject() without validating or filtering the class types. This flaw allows an attacker with topology submission rights to embed a crafted serialized object in the TGT field of a Nimbus Thrift API call, which can be executed by the Nimbus and Worker JVMs. The result is arbitrary code execution on the Storm cluster nodes.

Affected Systems

Any installation of the Apache Storm client before version 2.8.6 is affected. The vulnerability impacts both Nimbus and Worker components, which process the submitted topology credentials.

Risk and Exploitability

The flaw carries high severity due to remote code execution, but the exploitation requires authenticated access to submit a topology. EPSS data is unavailable and the vulnerability is not currently listed in the CISA KEV catalogue. As the attack vector relies on authorized topology submission, an internal attacker or a compromised client with those rights could exploit the vulnerability. Implementing the vendor patch at the earliest mitigates the risk entirely.

Generated by OpenCVE AI on April 13, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Apache Storm 2.8.6 update to all client, Nimbus, and Worker nodes.
  • If an immediate upgrade is not possible, apply the recommended monkey‑patch by setting an ObjectInputFilter allow‑list on ClientAuthUtils.deserializeKerberosTicket() to restrict deserialization to javax.security.auth.kerberos.KerberosTicket and its dependencies. A step‑by‑step guide is available in the 2.8.6 release notes.

Generated by OpenCVE AI on April 13, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
References

Mon, 13 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs. Mitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6. Credit: This issue was discovered by K.
Title Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling
Weaknesses CWE-502
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-13T14:05:29.304Z

Reserved: 2026-04-02T09:21:36.185Z

Link: CVE-2026-35337

cve-icon Vulnrichment

Updated: 2026-04-13T09:40:03.188Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T10:16:11.610

Modified: 2026-04-13T15:17:33.750

Link: CVE-2026-35337

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:52:32Z

Weaknesses