CVE-2026-35337HIGH 8.8EPSS p58.6%

CVE-2026-35337CVE-2026-35337

Description

Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs. Mitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6. Credit: This issue was discovered by K.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS1.01% probability of exploitation · percentile 58.6% · 2026-06-19T12:03:05Z
Published2026-04-13
Last modified2026-04-15

Underlying weaknesses· 1

CWE-502

References

  1. https://storm.apache.org/2026/04/12/storm286-released.html
  2. http://www.openwall.com/lists/oss-security/2026/04/12/6

1

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-25747
CVE
CVE-2025-53606
CVE
CVE-2025-29953
CVE
Apache ActiveMQ Deserialization of Untrusted Data Vulnerability
CVE
CVE-2025-32897
CVE
CVE-2025-54539
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.