CVE-2026-35337

High

Published: 13 April 2026

Published

13 April 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0024 46.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user…

with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs. Mitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6. Credit: This issue was discovered by K.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Remediates the deserialization vulnerability by upgrading to Apache Storm 2.8.6 or applying the recommended monkey-patch to prevent RCE.

SI-10 Information Input Validation good match

prevent

Enforces validation and class filtering on untrusted deserialized TGT blobs submitted via the Nimbus Thrift API to block crafted objects leading to RCE.

CM-6 Configuration Settings partial match

prevent

Establishes secure configuration settings, such as ObjectInputFilter allow-lists, to mitigate unsafe deserialization in Storm deployments.

Security SummaryAI

CVE-2026-35337 is a Deserialization of Untrusted Data vulnerability (CWE-502) in Apache Storm, affecting versions prior to 2.8.6. The issue arises when Storm processes topology credentials submitted via the Nimbus Thrift API, deserializing a base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. This flaw has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated user with topology submission rights can exploit this vulnerability by supplying a crafted serialized object in the "TGT" credential field. Successful exploitation leads to remote code execution in both the Nimbus and Worker JVMs.

Apache Storm advisories recommend that 2.x users upgrade to version 2.8.6 for a complete fix. As an interim measure, users unable to upgrade immediately can apply a monkey-patch to ClientAuthUtils.deserializeKerberosTicket() using an ObjectInputFilter allow-list that restricts deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies; a guide is available in the 2.8.6 release notes. Additional details are provided in the Storm release announcement at https://storm.apache.org/2026/04/12/storm286-released.html and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/04/12/6.

Details

CWE(s): CWE-502

Affected Products

apache

storm

2.0.0 — 2.8.6

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote code execution through deserialization of untrusted data in the Nimbus Thrift API by authenticated users with topology submission rights, directly facilitating Exploitation of Remote Services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://storm.apache.org/2026/04/12/storm286-released.html
Release Notes, Vendor Advisory · security@apache.org
http://www.openwall.com/lists/oss-security/2026/04/12/6
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108