Description
Deserialization of Untrusted Data vulnerability in Apache Storm.

Versions Affected:
before 2.8.6.


Description:
When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.


Mitigation:
2.x users should upgrade to 2.8.6.


Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.

Credit: This issue was discovered by K.
Published: 2026-04-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability lies in Apache Storm Client’s handling of topology credentials via the Nimbus Thrift API. Storm deserializes a base64‑encoded Kerberos TGT blob using ObjectInputStream.readObject() without applying any class filtering or validation. An authenticated user who has permission to submit topologies can supply a crafted serialized object in the 'TGT' credential field. This flaw effectively allows the attacker to execute arbitrary code within both the Nimbus and Worker JVMs, giving full control over the Storm cluster. The issue is a classic unsafe deserialization vulnerability (CWE‑502).

Affected Systems

Apache Software Foundation’s Apache Storm Client, versions prior to 2.8.6, are affected. Users deploying older Storm releases should verify their installation against the affected version list and ensure they are not running vulnerable code.

Risk and Exploitability

The CVSS base score of 8.8 indicates a high severity, while the EPSS score of less than 1% suggests that exploitation is unlikely in the near term and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, the attack requires an authenticated user with topology submission rights, which could be an internal threat actor or compromised account. Once such privileges are available, a single malicious credential submission can immediately lead to remote code execution on both Nimbus and Worker processes.

Generated by OpenCVE AI on April 13, 2026 at 15:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Storm Client to version 2.8.6 or later.
  • If an upgrade is not immediately possible, apply an ObjectInputFilter allow‑list to ClientAuthUtils.deserializeKerberosTicket(), restricting deserializable classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies following the guide in the 2.8.6 release notes.

Generated by OpenCVE AI on April 13, 2026 at 15:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jf89-3q6q-vcgr Apache Storm: Deserialization of Untrusted Data vulnerability
History

Wed, 15 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:storm:*:*:*:*:*:*:*:*

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache storm
Vendors & Products Apache
Apache storm

Mon, 13 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
References

Mon, 13 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs. Mitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6. Credit: This issue was discovered by K.
Title Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling
Weaknesses CWE-502
References

Subscriptions

Apache Storm
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-14T03:55:31.489Z

Reserved: 2026-04-02T09:21:36.185Z

Link: CVE-2026-35337

cve-icon Vulnrichment

Updated: 2026-04-13T09:40:03.188Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T10:16:11.610

Modified: 2026-04-15T15:54:21.067

Link: CVE-2026-35337

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:34:36Z

Weaknesses