CVE-2026-41081

Name of the Vulnerable Software and Affected Versions Apache Storm versions prior to 2.8.7

Description When TLS transport is enabled without requiring client certificate authentication, the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if verification fails. This occurs because the SSLPeerUnverifiedException is caught and suppressed instead of rejecting the connection. This fail-open behavior allows unauthenticated clients to establish a TLS connection and receive a valid principal identity. If the configured authorizer, such as SimpleACLAuthorizer, does not explicitly deny access to CN=ANONYMOUS, it may lead to unauthorized access to services. This condition is only logged at the debug level, which limits visibility in production environments.

Recommendations Update to version 2.8.7. Enable mandatory client certificate authentication by setting nimbus.thrift.tls.client.auth.required to true. Ensure authorization rules explicitly deny access to CN=ANONYMOUS. Review all ACL configurations for implicit default-allow behavior.