CVE-2026-35337: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Storm Client
Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs. Mitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6. Credit: This issue was discovered by K.
AI Analysis
Technical Summary
Apache Storm versions prior to 2.8.6 deserialize base64-encoded TGT blobs from topology credentials using ObjectInputStream.readObject() without any class filtering or validation. This unsafe deserialization allows an authenticated user with topology submission rights to provide a malicious serialized object in the "TGT" credential field, resulting in remote code execution within Nimbus and Worker JVM processes. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). The vendor recommends upgrading to version 2.8.6, which addresses this issue. Alternatively, users can monkey-patch an ObjectInputFilter allow-list to restrict deserialization to javax.security.auth.kerberos.KerberosTicket and its known dependencies as an interim mitigation.
Potential Impact
An authenticated user with topology submission privileges can exploit this vulnerability to execute arbitrary code remotely on both Nimbus and Worker JVMs. This could lead to full compromise of the affected Apache Storm nodes running these JVMs. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
Upgrade Apache Storm to version 2.8.6, which contains an official fix for this vulnerability. For users unable to upgrade immediately, apply a monkey-patch that adds an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket(), restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its dependencies. Follow the guidance provided in the 2.8.6 release notes for implementation details.
CVE-2026-35337: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Storm Client
Description
Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs. Mitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6. Credit: This issue was discovered by K.
CVSS v3.1
Score 8.8high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Apache Storm versions prior to 2.8.6 deserialize base64-encoded TGT blobs from topology credentials using ObjectInputStream.readObject() without any class filtering or validation. This unsafe deserialization allows an authenticated user with topology submission rights to provide a malicious serialized object in the "TGT" credential field, resulting in remote code execution within Nimbus and Worker JVM processes. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). The vendor recommends upgrading to version 2.8.6, which addresses this issue. Alternatively, users can monkey-patch an ObjectInputFilter allow-list to restrict deserialization to javax.security.auth.kerberos.KerberosTicket and its known dependencies as an interim mitigation.
Potential Impact
An authenticated user with topology submission privileges can exploit this vulnerability to execute arbitrary code remotely on both Nimbus and Worker JVMs. This could lead to full compromise of the affected Apache Storm nodes running these JVMs. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
Upgrade Apache Storm to version 2.8.6, which contains an official fix for this vulnerability. For users unable to upgrade immediately, apply a monkey-patch that adds an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket(), restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its dependencies. Follow the guidance provided in the 2.8.6 release notes for implementation details.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-02T09:21:36.185Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dcbf1a82d89c981f9a03d1
Added to database: 4/13/2026, 10:02:02 AM
Last enriched: 4/13/2026, 10:16:54 AM
Last updated: 5/27/2026, 4:32:32 PM
Views: 175
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.