Description

Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs. Mitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6. Credit: This issue was discovered by K.

INFO

Published Date :

2026-04-13T09:11:06.193Z

Last Modified :

2026-04-14T03:55:31.489Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35337 vulnerability.

Vendors Products
Apache
  • Storm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35337.

URL Resource
http://www.openwall.com/lists/oss-security/2026/04/12/6 cve-icon
https://storm.apache.org/2026/04/12/storm286-released.html cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact