CVE-2026-35337: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Storm Client
CVE-2026-35337 is a deserialization of untrusted data vulnerability in Apache Storm versions before 2. 8. 6. The vulnerability arises when topology credentials submitted via the Nimbus Thrift API are deserialized without class filtering, allowing an authenticated user with topology submission rights to supply crafted serialized objects. This can lead to remote code execution in both Nimbus and Worker JVMs. A fixed version, 2. 8. 6, is available. For users unable to upgrade immediately, a recommended mitigation is to apply an ObjectInputFilter allow-list restricting deserialized classes to KerberosTicket and its dependencies.
AI Analysis
Technical Summary
Apache Storm versions prior to 2.8.6 deserialize base64-encoded TGT blobs from topology credentials using ObjectInputStream.readObject() without any class filtering or validation. This unsafe deserialization allows an authenticated user with topology submission rights to provide a malicious serialized object in the "TGT" credential field, resulting in remote code execution within Nimbus and Worker JVM processes. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). The vendor recommends upgrading to version 2.8.6, which addresses this issue. Alternatively, users can monkey-patch an ObjectInputFilter allow-list to restrict deserialization to javax.security.auth.kerberos.KerberosTicket and its known dependencies as an interim mitigation.
Potential Impact
An authenticated user with topology submission privileges can exploit this vulnerability to execute arbitrary code remotely on both Nimbus and Worker JVMs. This could lead to full compromise of the affected Apache Storm nodes running these JVMs. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
Upgrade Apache Storm to version 2.8.6, which contains an official fix for this vulnerability. For users unable to upgrade immediately, apply a monkey-patch that adds an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket(), restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its dependencies. Follow the guidance provided in the 2.8.6 release notes for implementation details.
CVE-2026-35337: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Storm Client
Description
CVE-2026-35337 is a deserialization of untrusted data vulnerability in Apache Storm versions before 2. 8. 6. The vulnerability arises when topology credentials submitted via the Nimbus Thrift API are deserialized without class filtering, allowing an authenticated user with topology submission rights to supply crafted serialized objects. This can lead to remote code execution in both Nimbus and Worker JVMs. A fixed version, 2. 8. 6, is available. For users unable to upgrade immediately, a recommended mitigation is to apply an ObjectInputFilter allow-list restricting deserialized classes to KerberosTicket and its dependencies.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Apache Storm versions prior to 2.8.6 deserialize base64-encoded TGT blobs from topology credentials using ObjectInputStream.readObject() without any class filtering or validation. This unsafe deserialization allows an authenticated user with topology submission rights to provide a malicious serialized object in the "TGT" credential field, resulting in remote code execution within Nimbus and Worker JVM processes. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). The vendor recommends upgrading to version 2.8.6, which addresses this issue. Alternatively, users can monkey-patch an ObjectInputFilter allow-list to restrict deserialization to javax.security.auth.kerberos.KerberosTicket and its known dependencies as an interim mitigation.
Potential Impact
An authenticated user with topology submission privileges can exploit this vulnerability to execute arbitrary code remotely on both Nimbus and Worker JVMs. This could lead to full compromise of the affected Apache Storm nodes running these JVMs. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
Upgrade Apache Storm to version 2.8.6, which contains an official fix for this vulnerability. For users unable to upgrade immediately, apply a monkey-patch that adds an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket(), restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its dependencies. Follow the guidance provided in the 2.8.6 release notes for implementation details.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-02T09:21:36.185Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dcbf1a82d89c981f9a03d1
Added to database: 4/13/2026, 10:02:02 AM
Last enriched: 4/13/2026, 10:16:54 AM
Last updated: 4/13/2026, 11:02:24 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.