CVE-2026-41081
Improper TLS Authentication in Apache Storm Enables Unauthorized Access
Publication date: 2026-04-27
Last updated on: 2026-04-28
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | storm | to 2.8.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41081 is a vulnerability in Apache Storm versions up to 2.8.7 related to improper handling of TLS client authentication failures.
When TLS transport is enabled without requiring client certificate authentication (which is the default setting), the TlsTransportPlugin assigns a fallback principal with the common name (CN) "ANONYMOUS" if no client certificate is presented or if certificate verification fails.
Instead of rejecting the connection when authentication fails, the system catches and suppresses the SSLPeerUnverifiedException, resulting in a fail-open behavior.
This means an unauthenticated client can still establish a TLS connection and receive a valid principal identity, potentially allowing unauthorized access if the authorization rules do not explicitly deny access to CN=ANONYMOUS.
How can this vulnerability impact me? :
The vulnerability can allow unauthenticated clients to bypass authorization controls in Apache Storm services.
Because the system assigns a fallback principal identity (CN=ANONYMOUS) instead of rejecting failed TLS client authentications, unauthorized users may gain access if the authorization configuration is permissive or misconfigured.
Additionally, the condition is only logged at debug level, which reduces visibility of the issue in production environments, making it harder to detect unauthorized access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is logged only at debug level when a TLS client authentication failure occurs and the fallback principal CN=ANONYMOUS is assigned. Therefore, detection involves enabling debug-level logging in Apache Storm to monitor for these events.
You can check your Storm logs for entries indicating the assignment of the CN=ANONYMOUS principal or SSLPeerUnverifiedException occurrences.
Additionally, you can inspect network traffic to identify TLS connections where client certificates are not presented or fail verification.
- Enable debug logging in Apache Storm to capture TLS client authentication failures.
- Search logs for keywords such as "ANONYMOUS" or "SSLPeerUnverifiedException".
- Use network monitoring tools (e.g., tcpdump or Wireshark) to capture TLS handshake traffic and verify if client certificates are being presented.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Apache Storm to version 2.8.7 or later, where TLS authentication failures are handled in a fail-closed manner.
If upgrading immediately is not possible, the following steps should be taken:
- Enable mandatory client certificate authentication by setting `nimbus.thrift.tls.client.auth.required` to true.
- Explicitly deny access to the fallback principal CN=ANONYMOUS in your authorization rules.
- Review all Access Control List (ACL) configurations to ensure there is no implicit default-allow behavior that could permit unauthorized access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated clients to be assigned a valid principal identity (CN=ANONYMOUS) due to improper handling of TLS client authentication failures. This fail-open behavior can lead to unauthorized access to Apache Storm services if authorization rules do not explicitly deny access to the anonymous principal.
Such unauthorized access risks violating security and privacy requirements commonly mandated by standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.
Because the vulnerability reduces the effectiveness of authentication and authorization mechanisms, it may result in non-compliance with these regulations unless mitigations are applied.
Mitigations include upgrading to Apache Storm 2.8.7 where TLS authentication failures are handled in a fail-closed manner, enabling mandatory client certificate authentication, explicitly denying access to the anonymous principal, and reviewing ACL configurations to prevent implicit default-allow behavior.