Platform
java
Component
org.apache.storm:storm-client
Fixed in
2.8.6
2.8.6
CVE-2026-35337 describes an Insecure Deserialization vulnerability found in Apache Storm, specifically when processing topology credentials through the Nimbus Thrift API. This flaw allows an authenticated user to potentially execute arbitrary code on both the Nimbus and Worker JVMs by submitting a crafted serialized object. Versions affected are those prior to 2.8.6; upgrading to version 2.8.6 is the recommended fix.
CVE-2026-35337 in Apache Storm Client affects versions prior to 2.8.6. It enables remote code execution (RCE) through the deserialization of untrusted data. An authenticated user with topology submission privileges can craft a malicious serialized object within the 'TGT' credential field. This object is then deserialized using ObjectInputStream.readObject() in both Nimbus and Worker nodes, without any class filtering or validation, allowing arbitrary code execution. The CVSS score for this vulnerability is 8.8, indicating a high-severity risk. Successful exploitation could lead to complete control of the Storm cluster.
The vulnerability is exploited through the Nimbus Thrift API, specifically when submitting a topology with crafted credentials. The attacker needs to authenticate and have topology submission permissions. The attack involves creating a malicious serialized object that, upon deserialization, executes arbitrary code on the Nimbus or Worker server. The attack complexity is relatively low, requiring only manipulation of a field in the API request. While authentication limits the attack scope, the possibility of RCE makes it a significant threat. The lack of class validation during deserialization is the root cause of the vulnerability.
Exploit Status
EPSS
0.42% (62% percentile)
CVSS Vector
The primary mitigation for CVE-2026-35337 is to upgrade Apache Storm Client to version 2.8.6 or later. This version includes fixes to prevent insecure deserialization of data. As a temporary measure, restrict access to the Nimbus Thrift API to trusted users and systems. Implementing a Web Application Firewall (WAF) to inspect and filter incoming traffic for malicious patterns is also recommended. Monitoring Nimbus and Worker logs for suspicious activity can help detect and respond to potential attacks. Upgrading is the most effective and recommended solution.
Upgrade to version 2.8.6 of Apache Storm. If you cannot upgrade immediately, apply a patch to ObjectInputFilter to restrict deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies, following the instructions in the release notes of 2.8.6.
Vulnerability analysis and critical alerts directly to your inbox.
Apache Storm is an open-source distributed real-time computation system.
It allows for remote code execution, potentially compromising the entire Storm cluster's security.
Restrict access to the Nimbus Thrift API and monitor logs for suspicious activity.
Vulnerability scanners can detect the Storm version and alert on this vulnerability.
If your version is prior to 2.8.6, it is vulnerable.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.