Apache Storm security advisories

Security information for Apache Storm

Reporting

Do you want disclose a potential security issue for Apache Storm? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Anonymous principal assigned on TLS client certificate verification failure

CVE-2026-41081 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-27T13:10:44.288Z

Affected

  • Apache Storm Client before 2.8.7

Description

Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm

Versions Affected: up to 2.8.7

Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection.

This fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production.

Impact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments.

Mitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner.

Users who cannot upgrade immediately should:
- Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true)
- Ensure authorization rules explicitly deny access to CN=ANONYMOUS
- Review all ACL configurations for implicit default-allow behavior

References

Credits

  • K (finder)

Disabling TLS verification for Prometheus Reporter also disables it for all other connections

CVE-2026-40557 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-27T13:12:09.640Z

Affected

  • Apache Storm Prometheus Reporter from 2.6.3 before 2.8.7

Description

Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter

Versions Affected: from 2.6.3 to 2.8.6

Description: 

In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon.

The PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare()INSECURE_CONNECTION_FACTORYSSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials.

Mitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate.


References

Credits

  • K (finder)

Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI

CVE-2026-35565 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-13T09:10:15.976Z

Affected

  • Apache Storm UI before 2.8.6

Description

Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI

Versions Affected: before 2.8.6

Description: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing an onerror event handler). This payload flows through Nimbus → Thrift → the Visualization API → vis.js tooltip rendering, resulting in stored cross-site scripting. 

In multi-tenant deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this enables privilege escalation through script execution in an admin's browser session.

Mitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values including nodeId, :capacity, :latency, :component, :stream, and :grouping before interpolation into tooltip HTML strings, and should additionally restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure. A guide on how to do this is available in the release notes of 2.8.6.

Credit: This issue was discovered while investigating another report by K.

References

RCE through Unsafe Deserialization via Kerberos TGT Credential Handling

CVE-2026-35337 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-13T09:11:04.526Z

Affected

  • Apache Storm Client before 2.8.6

Description

Deserialization of Untrusted Data vulnerability in Apache Storm.

Versions Affected: before 2.8.6.

Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.

Mitigation: 2.x users should upgrade to 2.8.6.

Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.

Credit: This issue was discovered by K.

References

Credits

  • K (finder)

Local Information Disclosure Vulnerability in Storm-core on Unix-Like systems due temporary files

CVE-2023-43123 [CVE] [CVE json] [OSV json]

Last updated: 2023-11-23T09:16:32.695Z

Affected

  • Apache Storm from 2.0.0 before 2.6.0

Description

On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems.

The method File.createTempFile on unix-like systems creates a file with predefined name (so easily identifiable) and by default will create this file with the permissions -rw-r--r--. Thus, if sensitive information is written to this file, other local users can read this information.

File.createTempFile(String, String) will create a temporary file in the system temporary directory if the 'java.io.tmpdir' system property is not explicitly set.

This affects the class https://github.com/apache/storm/blob/master/storm-core/src/jvm/org/apache/storm/utils/TopologySpoutLag.java#L99 and was introduced by https://issues.apache.org/jira/browse/STORM-3123

In practice, this has a very limited impact as this class is used only if ui.disable.spout.lag.monitoring
is set to false, but its value is true by default.
Moreover, the temporary file gets deleted soon after its creation.

The solution is to use 
Files.createTempFile instead.

We recommend that all users upgrade to the latest version of Apache Storm.


References

Credits

  • Andrea Cosentino from Apache Software Foundation (finder)

Unsafe Pre-Authentication Deserialization In Workers

CVE-2021-40865 [CVE] [CVE json] [OSV json]

Last updated: 2021-10-21T21:27:58.697Z

Affected

  • Apache Storm from v1.0.0 before Apache Storm *
  • Apache Storm from Apache Storm before v1.2.4

Description

An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4

References

Credits

  • Apache Storm would like to thank @pwntester Alvaro Muñoz of the GitHub Security Lab team for reporting this issue.

Shell Command Injection Vulnerability in Nimbus Thrift Server

CVE-2021-38294 [CVE] [CVE json] [OSV json]

Last updated: 2021-10-21T22:16:43.838Z

Affected

  • Apache Storm from v1.0.0 before Apache Storm*
  • Apache Storm from Apache Storm before v1.2.4

Description

A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.

References

Credits

  • Apache Storm would like to thank @pwntester Alvaro Muñoz of the GitHub Security Lab team for reporting this issue.