CVE-2026-35337

Published: Apr 13, 2026 Last Modified: Apr 15, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,8

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

Deserialization of Untrusted Data vulnerability in Apache Storm.

Versions Affected:
before 2.8.6.

Description:
When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the 'TGT' credential field, leading to remote code execution in both the Nimbus and Worker JVMs.

Mitigation:
2.x users should upgrade to 2.8.6.

Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.

Credit: This issue was discovered by K.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0030

Percentile

0,5th

Updated

EPSS Score Trend (Last 4 Days)

502

Deserialization of Untrusted Data

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Availability Other

Potential Impacts:

Modify Application Data Unexpected State Dos: Resource Consumption (Cpu) Varies By Context

Applicable Platforms

Languages: Java, JavaScript, PHP, Python, Ruby

Technologies: AI/ML, ICS/OT, Not Technology-Specific

Likelihood of Exploit: Medium

View CWE Details

Application

Storm by Apache

Product Information

Vendor Apache

Product Storm

Version Range Affected

From 2.0.0 (inclusive)

To 2.8.6 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:apache:storm:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

http://www.openwall.com/lists/oss-security/2026/04/12/6

https://storm.apache.org/2026/04/12/storm286-released.html

CVE-2026-35337

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 4 Days)

Deserialization of Untrusted Data

Common Consequences

Applicable Platforms

Storm by Apache

Product Information

Iscriviti alla newsletter