Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6Blast Radius
ecosystem impact- 31 maven packages depend on org.apache.storm:storm-client (24 direct, 7 indirect)
Ecosystem-wide dependent count for version 2.8.6.
DescriptionCVE.org
Deserialization of Untrusted Data vulnerability in Apache Storm.
Versions Affected: before 2.8.6.
Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.
Mitigation: 2.x users should upgrade to 2.8.6.
Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.
Credit: This issue was discovered by K.
AnalysisAI
Remote code execution in Apache Storm before 2.8.6 allows authenticated users with topology submission rights to execute arbitrary code on Nimbus and Worker JVMs via crafted serialized objects in Kerberos TGT credentials. The vulnerability exploits unsafe deserialization in the Nimbus Thrift API (CWE-502) with CVSS 8.8. No active exploitation confirmed (EPSS 0.30%, SSVC exploitation status: none), but the low attack complexity and network attack vector make this a critical patch priority for Storm deployments with authenticated users.
Technical ContextAI
Apache Storm is a distributed real-time computation system. This vulnerability resides in the Nimbus server's Thrift API credential processing mechanism, specifically in ClientAuthUtils.deserializeKerberosTicket(). When users submit topology credentials containing Kerberos TGT (Ticket Granting Ticket) data, Storm base64-decodes the blob and deserializes it using Java's ObjectInputStream.readObject() without ObjectInputFilter protections. This is a classic unsafe deserialization vulnerability (CWE-502), a known dangerous pattern in Java applications. The lack of class filtering allows arbitrary class instantiation during deserialization. Because topology credentials propagate from Nimbus to Worker JVMs, the malicious payload executes in both contexts, providing the attacker with code execution across the Storm cluster's control plane (Nimbus) and data plane (Workers). The affected component is Apache Storm Client library (CPE: cpe:2.3:a:apache_software_foundation:apache_storm_client:*:*:*:*:*:*:*:*) used in Storm versions before 2.8.6.
RemediationAI
Users running Apache Storm 2.x should immediately upgrade to version 2.8.6, which contains the fix for this deserialization vulnerability. The patched version implements proper input filtering to restrict deserialized classes to safe types. For environments where immediate upgrade is not feasible, Apache provides a temporary mitigation: monkey-patch an ObjectInputFilter allow-list into ClientAuthUtils.deserializeKerberosTicket() that restricts deserialization to only javax.security.auth.kerberos.KerberosTicket and its known safe dependencies. Detailed implementation guidance for this workaround is available in the 2.8.6 release notes at https://storm.apache.org/2026/04/12/storm286-released.html. Organizations should also review and restrict topology submission permissions to only trusted users as a defense-in-depth measure, since the vulnerability requires authenticated access with topology submission rights.
Same weakness CWE-502 – Deserialization of Untrusted Data
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21902
GHSA-jf89-3q6q-vcgr