Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35337

CVE-2026-35337: Apache Storm RCE Vulnerability

CVE-2026-35337 is a remote code execution vulnerability in Apache Storm caused by unsafe deserialization. Attackers can exploit this to execute arbitrary code. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-35337 Overview

CVE-2026-35337 is an insecure deserialization vulnerability affecting Apache Storm, a distributed real-time computation system. When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.

Critical Impact

This vulnerability allows authenticated attackers with topology submission rights to achieve remote code execution on Apache Storm clusters, potentially compromising both the Nimbus master node and all Worker nodes processing topologies.

Affected Products

  • Apache Storm versions before 2.8.6
  • Apache Storm 2.x series (all versions prior to the patch)
  • Any deployment utilizing Kerberos authentication with topology credential submission

Discovery Timeline

  • April 12, 2026 - Apache Storm releases security patch in version 2.8.6
  • April 13, 2026 - CVE-2026-35337 published to NVD
  • April 15, 2026 - Last updated in NVD database

Technical Details for CVE-2026-35337

Vulnerability Analysis

This vulnerability falls under CWE-502 (Deserialization of Untrusted Data), a well-known class of security issues in Java applications. The flaw exists in how Apache Storm handles Kerberos ticket credentials during topology submission. When an authenticated user submits a topology through the Nimbus Thrift API, they can include credential information including Kerberos TGT (Ticket Granting Ticket) blobs. The ClientAuthUtils.deserializeKerberosTicket() method processes these TGT credentials by directly passing the base64-decoded data to Java's native ObjectInputStream.readObject() method without implementing any deserialization filters or class whitelisting.

This architectural oversight allows attackers to exploit Java's serialization mechanism by crafting malicious serialized objects that execute arbitrary code upon deserialization. Common gadget chains from libraries present in the Storm classpath (such as commons-collections, spring-beans, or other dependencies) can be leveraged to achieve remote code execution.

Root Cause

The root cause is the absence of deserialization controls in the ClientAuthUtils.deserializeKerberosTicket() method. Java deserialization is inherently dangerous when processing untrusted input because the readObject() method can trigger code execution through specially crafted serialized objects. The affected code path directly deserializes user-supplied credential data without implementing ObjectInputFilter restrictions to limit which classes can be instantiated during the deserialization process. This allows attackers to inject gadget chains that leverage existing classes in the application classpath to execute arbitrary code.

Attack Vector

The attack requires network access to the Nimbus Thrift API and authentication with topology submission privileges. An attacker would craft a malicious serialized Java object containing a gadget chain compatible with libraries present in Storm's classpath. This payload is then base64-encoded and submitted as the "TGT" credential field during topology submission. When the Nimbus server processes this credential, the deserialization triggers the gadget chain, resulting in code execution within the Nimbus JVM. If the malicious topology is distributed to Worker nodes, code execution can also occur on those systems during credential processing.

The attack does not require user interaction and can be executed remotely over the network. While authentication is required, any user with topology submission rights can exploit this vulnerability, making it particularly dangerous in multi-tenant Storm deployments.

Detection Methods for CVE-2026-35337

Indicators of Compromise

  • Unusual or unexpected classes appearing in Java deserialization logs on Nimbus or Worker nodes
  • Topology submissions containing abnormally large or suspicious base64-encoded TGT credential blobs
  • Unexpected process spawning or network connections originating from Nimbus or Worker JVM processes
  • Error messages related to deserialization failures with non-Kerberos class types in Storm logs

Detection Strategies

  • Monitor Nimbus Thrift API access logs for topology submissions from unexpected sources or with unusual credential sizes
  • Implement network segmentation monitoring to detect outbound connections from Storm cluster nodes to unexpected destinations
  • Deploy Java agent-based monitoring to track ObjectInputStream.readObject() calls and flag suspicious class instantiation patterns
  • Configure SIEM rules to correlate authentication events with subsequent anomalous process behavior on Storm infrastructure

Monitoring Recommendations

  • Enable verbose logging for the ClientAuthUtils class and monitor for deserialization-related exceptions
  • Implement file integrity monitoring on Storm installation directories to detect post-exploitation modifications
  • Monitor for unusual CPU or memory consumption patterns on Nimbus and Worker nodes that could indicate cryptominer or other malware execution
  • Review and audit all users with topology submission privileges regularly

How to Mitigate CVE-2026-35337

Immediate Actions Required

  • Upgrade all Apache Storm deployments to version 2.8.6 or later immediately
  • Audit current topology submission permissions and revoke access from any untrusted or unnecessary accounts
  • Review recent topology submissions for suspicious credential content prior to patching
  • Implement network segmentation to restrict Nimbus Thrift API access to only authorized systems

Patch Information

Apache has released version 2.8.6 which addresses this vulnerability by implementing proper deserialization controls. Users running Apache Storm 2.x versions should upgrade to 2.8.6 as soon as possible. The patch implements an ObjectInputFilter allow-list that restricts deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies, preventing the instantiation of gadget chain classes during TGT credential processing.

For detailed patch information and upgrade instructions, see the Apache Storm 2.8.6 Release Announcement. Additional security discussion is available on the OpenWall OSS Security Mailing List.

Workarounds

  • For users who cannot upgrade immediately, implement a monkey-patch to add an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies
  • Restrict network access to the Nimbus Thrift API using firewall rules to limit exposure
  • Implement strict access controls to minimize the number of users with topology submission rights
  • Consider temporarily disabling Kerberos-based authentication if not strictly required until patching is complete

The Apache Storm release notes for version 2.8.6 include a detailed guide on implementing the monkey-patch workaround for organizations unable to immediately upgrade.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.