CVE-2026-35565 - Vulnerability Details

- Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI

Description

Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI

Versions Affected: before 2.8.6

Description: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing an onerror event handler). This payload flows through Nimbus → Thrift → the Visualization API → vis.js tooltip rendering, resulting in stored cross-site scripting.

In multi-tenant deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this enables privilege escalation through script execution in an admin's browser session.

Mitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values including nodeId, :capacity, :latency, :component, :stream, and :grouping before interpolation into tooltip HTML strings, and should additionally restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure. A guide on how to do this is available in the release notes of 2.8.6.

Credit: This issue was discovered while investigating another report by K.

Published: 2026-04-13

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an authenticated user with the right to submit topology definitions to insert malicious HTML or JavaScript into component identifiers. This data is stored and later rendered by the Storm UI visualization layer using innerHTML without any sanitization. As a result, when an operator or administrator views the affected topology, the embedded script executes in the browser session, compromising those higher‑privilege users. The impact is the ability to run arbitrary code in the context of administrators or operators, enabling credential theft, lateral movement, or further attacks on the underlying cluster.

Affected Systems

Apache Storm UI from the Apache Software Foundation is affected for all versions prior to 2.8.6. Only the UI component that renders topology metadata is impacted; the core Storm cluster remains unaffected unless an attacker also possesses UI access.

Risk and Exploitability

The attack requires authentication to submit a topology and access to the UI, which is typically restricted to trusted users. No publicly available CVSS score or EPSS entry is listed, but the presence of a stored XSS and the potential for privilege escalation indicate a non‑negligible risk to systems where topology submission rights are granted to multiple tenants. The vulnerability is not listed in the CISA KEV catalog. Exposure depends on the current access controls in place; if operators can view any submitted topology, the risk is significantly higher.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Storm UI

unaffected

Version	Status	Constraints
`0`	affected	< 2.8.6

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache Storm UI to version 2.8.6 or later
If an upgrade cannot be performed immediately, patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML‑escape all API‑supplied values before inserting them into tooltip strings
Enforce strict Nimbus ACLs to allow only trusted users to submit topologies, providing an additional defense in depth

Generated by OpenCVE AI on April 13, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/04/12/7
https://storm.apache.org/2026/04/12/storm286-released.html

History

Mon, 13 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 13 Apr 2026 10:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/04/12/7

Mon, 13 Apr 2026 10:00:00 +0000

Type	Values Removed	Values Added
Description		Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI Versions Affected: before 2.8.6 Description: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing an onerror event handler). This payload flows through Nimbus → Thrift → the Visualization API → vis.js tooltip rendering, resulting in stored cross-site scripting. In multi-tenant deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this enables privilege escalation through script execution in an admin's browser session. Mitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values including nodeId, :capacity, :latency, :component, :stream, and :grouping before interpolation into tooltip HTML strings, and should additionally restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure. A guide on how to do this is available in the release notes of 2.8.6. Credit: This issue was discovered while investigating another report by K.
Title		Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI
Weaknesses		CWE-79
References		https://storm.apache.org/2026/04/12/storm286-released.html

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-04-13T09:10:17.367Z

Updated: 2026-04-13T14:10:07.069Z

Reserved: 2026-04-03T15:14:12.281Z

Link: CVE-2026-35565

Vulnrichment

Updated: 2026-04-13T09:40:05.298Z

NVD

Status : Awaiting Analysis

Published: 2026-04-13T10:16:11.770

Modified: 2026-04-13T15:17:33.953

Link: CVE-2026-35565

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-13T12:52:33Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object