CVE-2026-40557 Overview
CVE-2026-40557 is an Improper Certificate Validation vulnerability [CWE-295] in the Apache Storm Prometheus Reporter affecting versions 2.6.3 through 2.8.6. The flaw resides in the PrometheusPreparableReporter class, which uses an INSECURE_CONNECTION_FACTORY that calls SSLContext.setDefault(sslContext). Enabling the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation option replaces the JVM's default SSL context globally instead of scoping it to the Prometheus PushGateway connection. The undocumented side effect downgrades TLS validation across every HTTPS channel in the Storm daemon process.
Critical Impact
A single misconfigured Prometheus metrics flag silently disables certificate validation for ZooKeeper, Thrift, Netty, and UI connections, exposing cluster traffic to man-in-the-middle interception.
Affected Products
- Apache Storm Prometheus Reporter 2.6.3
- Apache Storm Prometheus Reporter versions 2.6.4 through 2.8.5
- Apache Storm Prometheus Reporter 2.8.6
Discovery Timeline
- 2026-04-27 - CVE-2026-40557 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-40557
Vulnerability Analysis
The PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER whose checkClientTrusted and checkServerTrusted methods are empty. When an administrator sets storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true in storm.yaml, the reporter's prepare() method invokes INSECURE_CONNECTION_FACTORY, which calls SSLContext.setDefault(sslContext). This replaces the process-wide default SSL context rather than applying the insecure context only to the Prometheus PushGateway client. Every subsequent HTTPS connection initiated by the JVM inherits the unsafe trust manager. The Storm daemon then trusts self-signed, expired, and attacker-generated certificates on connections to ZooKeeper, the Thrift API, Netty workers, and the UI service.
Root Cause
The defect is a scoping error in TLS configuration. The Prometheus reporter applies its custom SSLContext using the global SSLContext.setDefault() API instead of constructing an isolated HttpClient or URLConnection with a per-request SSLSocketFactory. The administrator-facing configuration name implies local scope, but the implementation imposes JVM-wide effect.
Attack Vector
An attacker positioned on the network path between Storm daemons and supporting services can present any certificate during the TLS handshake. The Storm process accepts the certificate without warning. The adversary can then intercept or modify cluster state updates, topology submissions, tuple data, and administrative credentials. Exploitation requires the operator to have enabled the skip_tls_validation flag and the attacker to achieve a network-adjacent position, which raises attack complexity.
No public proof-of-concept code is available. See the Apache Mailing List Discussion and the OpenWall OSS-Security Post for vendor-supplied technical detail.
Detection Methods for CVE-2026-40557
Indicators of Compromise
- Presence of storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true in any storm.yaml file across cluster nodes.
- Successful TLS handshakes from Storm daemons to ZooKeeper, Thrift, Netty, or UI endpoints using certificates that do not chain to the cluster's configured truststore.
- Unexpected TLS certificate fingerprints observed in network captures between Storm components.
Detection Strategies
- Audit configuration management repositories and deployed storm.yaml files for the skip_tls_validation flag set to true.
- Inspect Storm daemon JVM startup output and metrics reporter initialization logs for references to PrometheusPreparableReporter and INSECURE_CONNECTION_FACTORY.
- Compare the certificate chains presented to Storm daemons against the expected internal certificate authority to identify rogue or self-signed certificates.
Monitoring Recommendations
- Enable certificate pinning or out-of-band certificate transparency monitoring on ZooKeeper, Thrift, and UI listeners used by Storm.
- Forward Storm daemon logs and configuration change events to a centralized log platform and alert on modifications to metrics reporter settings.
- Monitor for new or unexpected outbound connections from Storm hosts that could indicate an interception position.
How to Mitigate CVE-2026-40557
Immediate Actions Required
- Identify every Storm deployment running versions 2.6.3 through 2.8.6 that loads the Prometheus Metrics Reporter.
- Remove storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true from storm.yaml on all affected nodes and restart the daemons.
- Configure a truststore that contains the Prometheus PushGateway certificate and reference it from the Storm JVM options.
- Rotate any credentials, tokens, or topology secrets that may have traversed a downgraded TLS channel.
Patch Information
Apache has released Apache Storm 2.8.7, which corrects the SSL context scoping in PrometheusPreparableReporter. Users of the Prometheus Metrics Reporter on the 2.x branch should upgrade to 2.8.7. The fix is described in the Apache Mailing List Discussion.
Workarounds
- Disable the Prometheus Metrics Reporter entirely until upgrading to 2.8.7.
- Replace the skip_tls_validation flag with a properly configured truststore containing the PushGateway certificate.
- Issue a valid certificate to the Prometheus PushGateway from the same certificate authority that signs other internal services, eliminating any operational reason to bypass validation.
# Configuration example: remove the unsafe flag and supply a truststore
# In storm.yaml, ensure the following line is NOT present:
# storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true
# Configure the JVM truststore for Storm daemons instead:
export STORM_JAR_JVM_OPTS="\
-Djavax.net.ssl.trustStore=/etc/storm/truststore.jks \
-Djavax.net.ssl.trustStorePassword=changeit \
-Djavax.net.ssl.trustStoreType=JKS"
# Import the PushGateway certificate into the truststore:
keytool -importcert \
-alias prometheus-pushgateway \
-file pushgateway.crt \
-keystore /etc/storm/truststore.jks \
-storepass changeit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
