CVE-2026-35337

Name of the Vulnerable Software and Affected Versions Apache Storm versions prior to 2.8.6

Description An issue exists when processing topology credentials submitted via the 'Nimbus Thrift API'. The software deserializes the base64-encoded TGT blob using the readObject() function of ObjectInputStream without class filtering or validation. An authenticated user with topology submission rights can provide a crafted serialized object in the TGT credential field, which may lead to remote code execution in both the Nimbus and Worker JVMs.

Recommendations Upgrade to version 2.8.6. As a temporary workaround, monkey-patch an ObjectInputFilter allow-list to deserializeKerberosTicket() in ClientAuthUtils to restrict deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies.