{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35337", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-04-02T09:21:36.185Z", "datePublished": "2026-04-13T09:11:06.193Z", "dateUpdated": "2026-04-14T03:55:31.489Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected", "packageName": "org.apache.storm:storm-client", "product": "Apache Storm Client", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.8.6", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "K"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p><b>Deserialization of Untrusted Data vulnerability in Apache Storm.</b></p><p><strong>Versions Affected:</strong>\nbefore 2.8.6.</p>\n<p><strong>Description:</strong>\nWhen processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using <code>ObjectInputStream.readObject()</code> without any class filtering or validation.&nbsp;An authenticated user with topology submission rights could supply a crafted serialized object in the <code>\"TGT\"</code> credential field, leading to remote code execution in both the Nimbus and Worker JVMs.</p>\n<p><strong>Mitigation:</strong>\n2.x users should upgrade to 2.8.6.</p>\n<p>Users who cannot upgrade immediately should monkey-patch an <code>ObjectInputFilter</code> allow-list to <code>ClientAuthUtils.deserializeKerberosTicket()</code> restricting deserialized classes to <code>javax.security.auth.kerberos.KerberosTicket</code> and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.</p><p><span style=\"background-color: rgb(255, 255, 255);\"><b>Credit:</b> This issue was discovered by K.</span><br></p>"}], "value": "Deserialization of Untrusted Data vulnerability in Apache Storm.\n\nVersions Affected:\nbefore 2.8.6.\n\n\nDescription:\nWhen processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation.\u00a0An authenticated user with topology submission rights could supply a crafted serialized object in the \"TGT\" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.\n\n\nMitigation:\n2.x users should upgrade to 2.8.6.\n\n\nUsers who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.\n\nCredit: This issue was discovered by K."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-13T09:11:06.193Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://storm.apache.org/2026/04/12/storm286-released.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/12/6"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-13T09:40:03.188Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-35337"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T03:55:31.489Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/12/6"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-13T09:40:03.188Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-35337", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T14:04:21.774339Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T14:00:53.646Z"}}], "cna": {"title": "Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "K"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Storm Client", "versions": [{"status": "affected", "version": "0", "lessThan": "2.8.6", "versionType": "semver"}], "packageName": "org.apache.storm:storm-client", "collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected"}], "references": [{"url": "https://storm.apache.org/2026/04/12/storm286-released.html", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Apache Storm.\n\nVersions Affected:\nbefore 2.8.6.\n\n\nDescription:\nWhen processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation.\u00a0An authenticated user with topology submission rights could supply a crafted serialized object in the \"TGT\" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.\n\n\nMitigation:\n2.x users should upgrade to 2.8.6.\n\n\nUsers who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.\n\nCredit: This issue was discovered by K.", "supportingMedia": [{"type": "text/html", "value": "<p><b>Deserialization of Untrusted Data vulnerability in Apache Storm.</b></p><p><strong>Versions Affected:</strong>\nbefore 2.8.6.</p>\n<p><strong>Description:</strong>\nWhen processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using <code>ObjectInputStream.readObject()</code> without any class filtering or validation.&nbsp;An authenticated user with topology submission rights could supply a crafted serialized object in the <code>\"TGT\"</code> credential field, leading to remote code execution in both the Nimbus and Worker JVMs.</p>\n<p><strong>Mitigation:</strong>\n2.x users should upgrade to 2.8.6.</p>\n<p>Users who cannot upgrade immediately should monkey-patch an <code>ObjectInputFilter</code> allow-list to <code>ClientAuthUtils.deserializeKerberosTicket()</code> restricting deserialized classes to <code>javax.security.auth.kerberos.KerberosTicket</code> and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.</p><p><span style=\"background-color: rgb(255, 255, 255);\"><b>Credit:</b> This issue was discovered by K.</span><br></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-13T09:11:06.193Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35337", "state": "PUBLISHED", "dateUpdated": "2026-04-14T03:55:31.489Z", "dateReserved": "2026-04-02T09:21:36.185Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-13T09:11:06.193Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:storm:*:*:*:*:*:*:*:*", "matchCriteriaId": "52FAF08F-1AE5-4EC5-BBA7-393B88FC8AD1", "versionEndExcluding": "2.8.6", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Apache Storm.\n\nVersions Affected:\nbefore 2.8.6.\n\n\nDescription:\nWhen processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation.\u00a0An authenticated user with topology submission rights could supply a crafted serialized object in the \"TGT\" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.\n\n\nMitigation:\n2.x users should upgrade to 2.8.6.\n\n\nUsers who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.\n\nCredit: This issue was discovered by K."}], "id": "CVE-2026-35337", "lastModified": "2026-04-15T15:54:21.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-13T10:16:11.610", "references": [{"source": "security@apache.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://storm.apache.org/2026/04/12/storm286-released.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/04/12/6"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.8.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Apache Storm Client", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "storm", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-13T15:55:10.263435+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Storm Client to version 2.8.6 or later.", "If an upgrade is not immediately possible, apply an ObjectInputFilter allow\u2011list to ClientAuthUtils.deserializeKerberosTicket(), restricting deserializable classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies following the guide in the 2.8.6 release notes."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Apache Software Foundation\u2019s Apache Storm Client, versions prior to 2.8.6, are affected. Users deploying older Storm releases should verify their installation against the affected version list and ensure they are not running vulnerable code.", "description_and_impact": "The vulnerability lies in Apache Storm Client\u2019s handling of topology credentials via the Nimbus Thrift API. Storm deserializes a base64\u2011encoded Kerberos TGT blob using ObjectInputStream.readObject() without applying any class filtering or validation. An authenticated user who has permission to submit topologies can supply a crafted serialized object in the 'TGT' credential field. This flaw effectively allows the attacker to execute arbitrary code within both the Nimbus and Worker JVMs, giving full control over the Storm cluster. The issue is a classic unsafe deserialization vulnerability (CWE\u2011502).", "risk_and_exploitability": "The CVSS base score of 8.8 indicates a high severity, while the EPSS score of less than 1% suggests that exploitation is unlikely in the near term and the vulnerability is not listed in CISA\u2019s KEV catalog. Nevertheless, the attack requires an authenticated user with topology submission rights, which could be an internal threat actor or compromised account. Once such privileges are available, a single malicious credential submission can immediately lead to remote code execution on both Nimbus and Worker processes."}}}}, "created": "2026-04-13T12:52:32.791930+00:00", "updated": "2026-04-14T16:34:36.483591+00:00", "vendors": ["apache", "apache$PRODUCT$storm"]}