CVE-2026-35337
Received Received - Intake
Deserialization Vulnerability in Apache Storm Enables Remote Code Execution

Publication date: 2026-04-13

Last updated on: 2026-04-15

Assigner: Apache Software Foundation

Description
Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation.Β An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs. Mitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6. Credit: This issue was discovered by K.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35337
EUVD
EUVD-2026-21902
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache storm From 2.0.0 (inc) to 2.8.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35337 is a deserialization of untrusted data vulnerability in Apache Storm versions before 2.8.6.

When processing topology credentials submitted via the Nimbus Thrift API, Apache Storm deserializes a base64-encoded Ticket Granting Ticket (TGT) blob using Java's ObjectInputStream.readObject() method without any class filtering or validation.

This means an authenticated user with topology submission rights can supply a crafted serialized object in the "TGT" credential field, which can lead to remote code execution in both the Nimbus and Worker JVM processes.

Impact Analysis

This vulnerability allows an authenticated user with topology submission privileges to execute arbitrary code remotely on the systems running Apache Storm's Nimbus and Worker JVMs.

Such remote code execution can lead to full compromise of the affected systems, potentially allowing attackers to manipulate data, disrupt services, or gain further access within the environment.

Mitigation Strategies

The primary immediate step to mitigate this vulnerability is to upgrade Apache Storm to version 2.8.6, which contains the fix for this issue.

If upgrading immediately is not possible, users should apply a monkey patch by adding an ObjectInputFilter allow-list to the ClientAuthUtils.deserializeKerberosTicket() method. This patch restricts deserialization to only javax.security.auth.kerberos.KerberosTicket and its known dependencies, preventing unsafe deserialization of untrusted data.

Detailed instructions for applying this monkey patch are available in the release notes of version 2.8.6.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35337. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart