Storm RCE via Kerberos credential deserialization (CVE-2026-35337)

Overview

A high-severity deserialization vulnerability in Apache Storm allows authenticated attackers to execute arbitrary code on both the master (Nimbus) and worker nodes. The vulnerability, tracked as CVE-2026-35337, affects all versions prior to 2.8.6 and carries a CVSS score of 8.8.

Vulnerability Details

Apache Storm processes Kerberos authentication tickets (TGTs) submitted when a user deploys a new data processing topology. The vulnerability exists because the Nimbus service deserializes this ticket data using the unsafe ObjectInputStream.readObject() method without proper validation. An attacker with standard permissions to submit a topology can embed a malicious serialized Java object within the credential field. When Storm processes this object, it can trigger the execution of arbitrary code within the application’s Java Virtual Machine (JVM).

Affected Systems

This vulnerability impacts:

• Apache Storm versions 2.x prior to 2.8.6.
• Both the Nimbus (master) and Worker components are vulnerable to full remote code execution.

Impact

An attacker who has successfully authenticated and possesses topology submission rights can exploit this flaw to achieve remote code execution. This would grant them complete control over the affected Storm nodes, potentially allowing them to steal sensitive data, disrupt data processing pipelines, or move laterally within the environment. The attack requires no user interaction and has low complexity.

While the EPSS score indicates a low probability (0.3%) of widespread exploitation in the next 30 days, the high severity and straightforward attack path for authorized users make patching a priority.

Remediation and Mitigation

The primary and definitive solution is to upgrade Apache Storm to version 2.8.6, which contains the necessary fixes.

For organizations that cannot upgrade immediately, a temporary mitigation is available. You can apply a Java monkey-patch to implement an ObjectInputFilter that restricts deserialization in the vulnerable function to only the javax.security.auth.kerberos.KerberosTicket class and its known dependencies. Detailed instructions for applying this workaround are provided in the Apache Storm 2.8.6 release notes.

Security Insight

This vulnerability is a classic case of unsafe deserialization, a persistent threat class in Java applications. It highlights the critical importance of implementing strict allow-listing for any deserialization operation, especially in distributed systems like Storm where a single entry point can compromise an entire cluster. Similar patterns have led to major incidents in other data processing frameworks, underscoring that credential handling paths require the same rigorous security scrutiny as primary data inputs.

For the latest on significant vulnerabilities and breaches, follow our security news coverage.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs