Skip to main content

Apache Storm Prometheus Reporter EUVDEUVD-2026-25846

| CVE-2026-40557 MEDIUM
Improper Certificate Validation (CWE-295)
2026-04-27 apache
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

7
Analysis Generated
Apr 30, 2026 - 16:22 vuln.today
CVSS changed
Apr 30, 2026 - 16:22 NVD
4.8 (None) 4.8 (MEDIUM)
Patch released
Apr 30, 2026 - 16:16 nvd
Patch available
Patch available
Apr 27, 2026 - 15:01 EUVD
EUVD ID Assigned
Apr 27, 2026 - 13:30 euvd
EUVD-2026-25846
Analysis Generated
Apr 27, 2026 - 13:30 vuln.today
CVE Published
Apr 27, 2026 - 13:12 nvd
MEDIUM 4.8

DescriptionCVE.org

Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter

Versions Affected: from 2.6.3 to 2.8.6

Description:

In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon.

The PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare() → INSECURE_CONNECTION_FACTORY → SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials.

Mitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate.

AnalysisAI

Improper certificate validation in Apache Storm Prometheus Reporter versions 2.6.3 to 2.8.6 allows man-in-the-middle attacks across all TLS connections in the Storm daemon when the skip_tls_validation configuration option is enabled. Enabling this setting for Prometheus PushGateway connections inadvertently downgrades the JVM-wide SSL context, causing all subsequent HTTPS communications (ZooKeeper, Thrift, Netty, UI) to trust arbitrary certificates without validation, enabling interception of cluster state, topology submissions, and administrative credentials. No public exploit code identified at time of analysis, and EPSS scoring of 0.01% reflects the requirement for explicit administrator misconfiguration to trigger the vulnerability.

Technical ContextAI

The PrometheusPreparableReporter class in Apache Storm implements an INSECURE_TRUST_MANAGER that bypasses standard X.509 certificate validation through empty implementations of checkClientTrusted and checkServerTrusted methods. The root cause stems from CWE-295 (Improper Certificate Validation): when storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation is set to true in storm.yaml, the configuration flows through PrometheusPreparableReporter.prepare() to INSECURE_CONNECTION_FACTORY, which calls SSLContext.setDefault(sslContext). This call replaces the JVM's default SSL context globally rather than restricting the insecure behavior to the Prometheus PushGateway connection alone. Subsequently, all HTTPS traffic in the same process-including ZooKeeper cluster communication, Thrift RPC, Netty network I/O, and Storm UI connections-inherits this disabled certificate validation, enabling acceptance of self-signed, expired, and attacker-generated certificates across the entire cluster topology.

RemediationAI

Upgrade Apache Storm to version 2.8.7 or later immediately if the Prometheus Metrics Reporter is deployed. For organizations unable to upgrade immediately, remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from storm.yaml configuration entirely. If TLS validation must be disabled for the Prometheus PushGateway due to certificate issues, configure a proper Java truststore containing the PushGateway's certificate chain and reference it via system properties (javax.net.ssl.trustStore, javax.net.ssl.trustStorePassword) rather than disabling validation globally. This approach isolates certificate handling to the Prometheus connection without affecting cluster-wide TLS validation. Verify all Storm processes have been restarted after configuration changes. The recommended path is upgrade to 2.8.7; workarounds are temporary and leave the daemon vulnerable to MITM attacks if the setting is re-enabled. References: https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq

Share

EUVD-2026-25846 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy