CVE-2026-40557

Name of the Vulnerable Software and Affected Versions Apache Storm versions 2.6.3 through 2.8.6

Description Improper certificate validation occurs in the Prometheus Reporter when the storm.daemon.metrics.reporter.plugin.prometheus.skip tls validation configuration is enabled. The PrometheusPreparableReporter class utilizes an INSECURE TRUST MANAGER that accepts all SSL certificates without validation via empty checkClientTrusted and checkServerTrusted methods. When the aforementioned configuration is active, the INSECURE CONNECTION FACTORY executes SSLContext.setDefault(sslContext), which replaces the default SSL context for the entire Java Virtual Machine (JVM) instead of limiting the insecure context to the Prometheus connection. Consequently, all HTTPS communications within the process, including ZooKeeper, Thrift, Netty, and UI connections, trust all certificates, including self-signed or attacker-generated ones, allowing for man-in-the-middle interception of administrative credentials, topology submissions, cluster state, and tuple data.

Recommendations Upgrade to version 2.8.7. Remove the storm.daemon.metrics.reporter.plugin.prometheus.skip tls validation: true setting from the storm.yaml configuration and configure a proper truststore containing the PushGateway's certificate.