Apache Software Foundation Apache Storm Client vulnerabilities
2 known vulnerabilities affecting apache_software_foundation/apache_storm_client.
Total CVEs
2
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2026-35337P2HIGHCVSS 8.8fixed in 2.8.62026-04-13
CVE-2026-35337 [HIGH] CWE-502 CVE-2026-35337: Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6.
Deserialization of Untrusted Data vulnerability in Apache Storm.
Versions Affected:
before 2.8.6.
Description:
When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submi
nvd
CVE-2026-41081P3MEDIUMCVSS 6.5fixed in 2.8.72026-04-27
CVE-2026-41081 [MEDIUM] CWE-287 CVE-2026-41081: Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in
Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm
Versions Affected: up to 2.8.7
Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS)
nvd