CVE-2026-35337
Published: 13 April 2026
Summary
CVE-2026-35337 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Storm. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 49.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediates the deserialization vulnerability by upgrading to Apache Storm 2.8.6 or applying the recommended monkey-patch to prevent RCE.
Enforces validation and class filtering on untrusted deserialized TGT blobs submitted via the Nimbus Thrift API to block crafted objects leading to RCE.
Establishes secure configuration settings, such as ObjectInputFilter allow-lists, to mitigate unsafe deserialization in Storm deployments.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution through deserialization of untrusted data in the Nimbus Thrift API by authenticated users with topology submission rights, directly facilitating Exploitation of Remote Services.
NVD Description
Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user…
more
with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs. Mitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6. Credit: This issue was discovered by K.
Deeper analysisAI
CVE-2026-35337 is a Deserialization of Untrusted Data vulnerability (CWE-502) in Apache Storm, affecting versions prior to 2.8.6. The issue arises when Storm processes topology credentials submitted via the Nimbus Thrift API, deserializing a base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. This flaw has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated user with topology submission rights can exploit this vulnerability by supplying a crafted serialized object in the "TGT" credential field. Successful exploitation leads to remote code execution in both the Nimbus and Worker JVMs.
Apache Storm advisories recommend that 2.x users upgrade to version 2.8.6 for a complete fix. As an interim measure, users unable to upgrade immediately can apply a monkey-patch to ClientAuthUtils.deserializeKerberosTicket() using an ObjectInputFilter allow-list that restricts deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies; a guide is available in the 2.8.6 release notes. Additional details are provided in the Storm release announcement at https://storm.apache.org/2026/04/12/storm286-released.html and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/04/12/6.
Details
- CWE(s)