Apache Storm security advisories
Security information for Apache Storm
Reporting
Do you want disclose a potential security issue for Apache Storm? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Anonymous principal assigned on TLS client certificate verification failure
CVE-2026-41081 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-27T13:10:44.288Z
Affected
- Apache Storm Client before 2.8.7
Description
Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm
Versions Affected: up to 2.8.7
Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection.
This fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production.
Impact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments.
Mitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner.
Users who cannot upgrade immediately should:
- Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true)
- Ensure authorization rules explicitly deny access to CN=ANONYMOUS
- Review all ACL configurations for implicit default-allow behavior
References
Credits
- K (finder)
Disabling TLS verification for Prometheus Reporter also disables it for all other connections
CVE-2026-40557 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-27T13:12:09.640Z
Affected
- Apache Storm Prometheus Reporter from 2.6.3 before 2.8.7
Description
Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter
Versions Affected: from 2.6.3 to 2.8.6
Description:
In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon.
The PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare() → INSECURE_CONNECTION_FACTORY → SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials.
Mitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate.
References
Credits
- K (finder)
Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI
CVE-2026-35565 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-13T09:10:15.976Z
Affected
- Apache Storm UI before 2.8.6
Description
Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI
Versions Affected: before 2.8.6
Description: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing an onerror event handler). This payload flows through Nimbus → Thrift → the Visualization API → vis.js tooltip rendering, resulting in stored cross-site scripting.
In multi-tenant deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this enables privilege escalation through script execution in an admin's browser session.
Mitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values including nodeId, :capacity, :latency, :component, :stream, and :grouping before interpolation into tooltip HTML strings, and should additionally restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure. A guide on how to do this is available in the release notes of 2.8.6.
References
RCE through Unsafe Deserialization via Kerberos TGT Credential Handling
CVE-2026-35337 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-13T09:11:04.526Z
Affected
- Apache Storm Client before 2.8.6
Description
Deserialization of Untrusted Data vulnerability in Apache Storm.
Versions Affected: before 2.8.6.
Description:
When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.
Mitigation: 2.x users should upgrade to 2.8.6.
Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.
Credit: This issue was discovered by K.
References
Credits
- K (finder)
Local Information Disclosure Vulnerability in Storm-core on Unix-Like systems due temporary files
CVE-2023-43123 [CVE] [CVE json] [OSV json]
Last updated: 2023-11-23T09:16:32.695Z
Affected
- Apache Storm from 2.0.0 before 2.6.0
Description
The method File.createTempFile on unix-like systems creates a file with predefined name (so easily identifiable) and by default will create this file with the permissions -rw-r--r--. Thus, if sensitive information is written to this file, other local users can read this information.
This affects the class https://github.com/apache/storm/blob/master/storm-core/src/jvm/org/apache/storm/utils/TopologySpoutLag.java#L99 and was introduced by https://issues.apache.org/jira/browse/STORM-3123
In practice, this has a very limited impact as this class is used only if ui.disable.spout.lag.monitoring
Moreover, the temporary file gets deleted soon after its creation.
The solution is to use Files.createTempFile instead.
We recommend that all users upgrade to the latest version of Apache Storm.
References
Credits
- Andrea Cosentino from Apache Software Foundation (finder)
Unsafe Pre-Authentication Deserialization In Workers
CVE-2021-40865 [CVE] [CVE json] [OSV json]
Last updated: 2021-10-21T21:27:58.697Z
Affected
- Apache Storm from v1.0.0 before Apache Storm *
- Apache Storm from Apache Storm before v1.2.4
Description
An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4
References
- https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E
- https://seclists.org/oss-sec/2021/q4/45
Credits
- Apache Storm would like to thank @pwntester Alvaro Muñoz of the GitHub Security Lab team for reporting this issue.
Shell Command Injection Vulnerability in Nimbus Thrift Server
CVE-2021-38294 [CVE] [CVE json] [OSV json]
Last updated: 2021-10-21T22:16:43.838Z
Affected
- Apache Storm from v1.0.0 before Apache Storm*
- Apache Storm from Apache Storm before v1.2.4
Description
A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.
References
- https://lists.apache.org/thread.html/r5fe881f6ca883908b7a0f005d35115af49f43beea7a8b0915e377859%40%3Cuser.storm.apache.org%3E
- https://seclists.org/oss-sec/2021/q4/44
Credits
- Apache Storm would like to thank @pwntester Alvaro Muñoz of the GitHub Security Lab team for reporting this issue.