Skip to main content

Apache EUVDEUVD-2026-21902

| CVE-2026-35337 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-04-13 apache GHSA-jf89-3q6q-vcgr
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Patch released
Apr 15, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 13, 2026 - 15:23 vuln.today
CVSS changed
Apr 13, 2026 - 15:22 NVD
8.8 (None) 8.8 (HIGH)
EUVD ID Assigned
Apr 13, 2026 - 10:15 euvd
EUVD-2026-21902
Analysis Generated
Apr 13, 2026 - 10:15 vuln.today
CVE Published
Apr 13, 2026 - 09:11 nvd
HIGH 8.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 31 maven packages depend on org.apache.storm:storm-client (24 direct, 7 indirect)

Ecosystem-wide dependent count for version 2.8.6.

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Apache Storm.

Versions Affected: before 2.8.6.

Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.

Mitigation: 2.x users should upgrade to 2.8.6.

Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.

Credit: This issue was discovered by K.

AnalysisAI

Remote code execution in Apache Storm before 2.8.6 allows authenticated users with topology submission rights to execute arbitrary code on Nimbus and Worker JVMs via crafted serialized objects in Kerberos TGT credentials. The vulnerability exploits unsafe deserialization in the Nimbus Thrift API (CWE-502) with CVSS 8.8. No active exploitation confirmed (EPSS 0.30%, SSVC exploitation status: none), but the low attack complexity and network attack vector make this a critical patch priority for Storm deployments with authenticated users.

Technical ContextAI

Apache Storm is a distributed real-time computation system. This vulnerability resides in the Nimbus server's Thrift API credential processing mechanism, specifically in ClientAuthUtils.deserializeKerberosTicket(). When users submit topology credentials containing Kerberos TGT (Ticket Granting Ticket) data, Storm base64-decodes the blob and deserializes it using Java's ObjectInputStream.readObject() without ObjectInputFilter protections. This is a classic unsafe deserialization vulnerability (CWE-502), a known dangerous pattern in Java applications. The lack of class filtering allows arbitrary class instantiation during deserialization. Because topology credentials propagate from Nimbus to Worker JVMs, the malicious payload executes in both contexts, providing the attacker with code execution across the Storm cluster's control plane (Nimbus) and data plane (Workers). The affected component is Apache Storm Client library (CPE: cpe:2.3:a:apache_software_foundation:apache_storm_client:*:*:*:*:*:*:*:*) used in Storm versions before 2.8.6.

RemediationAI

Users running Apache Storm 2.x should immediately upgrade to version 2.8.6, which contains the fix for this deserialization vulnerability. The patched version implements proper input filtering to restrict deserialized classes to safe types. For environments where immediate upgrade is not feasible, Apache provides a temporary mitigation: monkey-patch an ObjectInputFilter allow-list into ClientAuthUtils.deserializeKerberosTicket() that restricts deserialization to only javax.security.auth.kerberos.KerberosTicket and its known safe dependencies. Detailed implementation guidance for this workaround is available in the 2.8.6 release notes at https://storm.apache.org/2026/04/12/storm286-released.html. Organizations should also review and restrict topology submission permissions to only trusted users as a defense-in-depth measure, since the vulnerability requires authenticated access with topology submission rights.

Share

EUVD-2026-21902 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy