CVE-2026-35337
published 2026-04-13CVE-2026-35337: Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted…
PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.01%
58.8th percentile
Deserialization of Untrusted Data vulnerability in Apache Storm.
Versions Affected:
before 2.8.6.
Description:
When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.
Mitigation:
2.x users should upgrade to 2.8.6.
Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.
Credit: This issue was discovered by K.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | storm | >= 2.0.0 < 2.8.6 | 2.8.6 |
| apache_software_foundation | apache_storm_client | < 2.8.6 | 2.8.6 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Apache Storm: Deserialization of Untrusted Data vulnerability
ghsa·2026-04-13
CVE-2026-35337 [HIGH] CWE-502 Apache Storm: Deserialization of Untrusted Data vulnerability
Apache Storm: Deserialization of Untrusted Data vulnerability
Deserialization of Untrusted Data vulnerability in Apache Storm.
Versions Affected:
before 2.8.6.
Description:
When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.
Mitigation:
2.x users should upgrade to 2.8.6.
Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to java
GHSA
GHSA-jf89-3q6q-vcgr: Deserialization of Untrusted Data vulnerability in Apache Storm
ghsa_unreviewed·2026-04-13
CVE-2026-35337 [HIGH] CWE-502 GHSA-jf89-3q6q-vcgr: Deserialization of Untrusted Data vulnerability in Apache Storm
Deserialization of Untrusted Data vulnerability in Apache Storm.
Versions Affected:
before 2.8.6.
Description:
When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.
Mitigation:
2.x users should upgrade to 2.8.6.
Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependenc
VulDB
Apache Storm Client up to 2.8.5 Kerberos TGT Credential ObjectInputStream.readObject deserialization
vuldb·2026-04-12·CVSS 8.8
CVE-2026-35337 [HIGH] Apache Storm Client up to 2.8.5 Kerberos TGT Credential ObjectInputStream.readObject deserialization
A vulnerability was found in Apache Storm Client up to 2.8.5. It has been declared as critical. Affected is the function ObjectInputStream.readObject of the component Kerberos TGT Credential Handler. The manipulation results in deserialization.
This vulnerability was named CVE-2026-35337. The attack may be performed from remote. There is no available exploit.
It is recommended to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-13
Published