Platform
java
Component
org.apache.storm:storm-webapp
Fixed in
2.8.6
2.8.6
CVE-2026-35565 describes a Stored Cross-Site Scripting (XSS) vulnerability found in the Apache Storm web UI. This vulnerability allows an authenticated user with topology submission rights to inject malicious HTML or JavaScript code into the UI through crafted topology metadata, potentially leading to unauthorized actions or data theft. The vulnerability affects versions of Apache Storm up to and including 2.8.5, but a patch is available in version 2.8.6.
CVE-2026-35565 in Apache Storm UI introduces a stored Cross-Site Scripting (XSS) vulnerability. This occurs because the UI directly interpolates topology metadata, including component IDs, stream names, and grouping values, into HTML via innerHTML without any sanitization. An authenticated user with topology submission privileges could craft a malicious topology containing HTML/JavaScript in component identifiers. This allows an attacker to execute arbitrary JavaScript in the browsers of other users accessing the UI, potentially stealing session cookies, redirecting to malicious sites, or performing actions on behalf of the affected user. The CVSS score is 5.4, indicating a medium-level risk.
An attacker requires authentication and permissions to submit topologies to Apache Storm. Once the attacker submits a malicious topology, the malicious JavaScript code is stored in the UI's database or cache. When other users access the UI to view the topology, the JavaScript code executes in their browsers. The vulnerability is exploited by leveraging the lack of sanitization of topology metadata before it's inserted into the UI's HTML. The success of exploitation depends on the attacker's ability to create a topology containing malicious JavaScript that can be executed in the context of the target user.
Exploit Status
EPSS
0.02% (4% percentile)
CVSS Vector
The primary mitigation for this vulnerability is to upgrade Apache Storm to version 2.8.6 or later. This version includes fixes to prevent the direct interpretation of topology metadata in HTML. As a temporary workaround, consider disabling topology visualization in the UI if it's not essential. Additionally, implement security policies that restrict topology submission privileges to trusted users, reducing the attack surface. Monitoring UI logs for suspicious activity can also help identify and respond to potential attacks.
Upgrade to version 2.8.6 or higher to mitigate the vulnerability. If upgrading immediately is not possible, patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values including nodeId, :capacity, :latency, :component, :stream, and :grouping, before interpolating them into the HTML strings of the tooltips.
Vulnerability analysis and critical alerts directly to your inbox.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
Version 2.8.6 includes a fix for this specific vulnerability, eliminating the risk of stored XSS.
The attacker needs authentication and permissions to submit topologies to Apache Storm.
If you are using a version of Apache Storm prior to 2.8.6, you are likely affected. Refer to the Apache Storm documentation for more information.
Implement security policies to restrict topology submission privileges and monitor UI logs.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.