Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/org.apache.storm/storm-client@2.1.1
purl pkg:maven/org.apache.storm/storm-client@2.1.1
Next non-vulnerable version 2.8.7
Latest non-vulnerable version 2.8.7
Risk
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-du5r-hn2a-rfe1
Aliases:
CVE-2026-41081
GHSA-j2q8-xx3q-8fqh
Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection. This fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production. Impact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments. Mitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner. Users who cannot upgrade immediately should: - Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true) - Ensure authorization rules explicitly deny access to CN=ANONYMOUS - Review all ACL configurations for implicit default-allow behavior
2.8.7
Affected by 0 other vulnerabilities.
VCID-whh5-mqgr-1bc7
Aliases:
CVE-2026-35337
GHSA-jf89-3q6q-vcgr
Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs. Mitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6. Credit: This issue was discovered by K.
2.8.6
Affected by 1 other vulnerability.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-12T22:14:07.321172+00:00 GitLab Importer Affected by VCID-du5r-hn2a-rfe1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.storm/storm-client/CVE-2026-41081.yml 38.6.0
2026-06-12T22:01:57.780143+00:00 GitLab Importer Affected by VCID-whh5-mqgr-1bc7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.storm/storm-client/CVE-2026-35337.yml 38.6.0