Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-du5r-hn2a-rfe1
Vulnerability ID VCID-du5r-hn2a-rfe1
Aliases CVE-2026-41081
GHSA-j2q8-xx3q-8fqh
Summary Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection. This fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production. Impact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments. Mitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner. Users who cannot upgrade immediately should: - Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true) - Ensure authorization rules explicitly deny access to CN=ANONYMOUS - Review all ACL configurations for implicit default-allow behavior
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-287 Improper Authentication
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.0014 https://api.first.org/data/v1/epss?cve=CVE-2026-41081
epss 0.0014 https://api.first.org/data/v1/epss?cve=CVE-2026-41081
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-j2q8-xx3q-8fqh
cvssv3.1 6.5 https://github.com/apache/storm
generic_textual MODERATE https://github.com/apache/storm
cvssv3.1 6.5 https://lists.apache.org/thread/plxx5l29dvplk5rwzdcq53rdfl6v4gs8
generic_textual MODERATE https://lists.apache.org/thread/plxx5l29dvplk5rwzdcq53rdfl6v4gs8
ssvc Track https://lists.apache.org/thread/plxx5l29dvplk5rwzdcq53rdfl6v4gs8
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2026-41081
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-41081
cvssv3.1 6.5 http://www.openwall.com/lists/oss-security/2026/04/25/3
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2026/04/25/3
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-41081
https://github.com/apache/storm
https://nvd.nist.gov/vuln/detail/CVE-2026-41081
http://www.openwall.com/lists/oss-security/2026/04/25/3
GHSA-j2q8-xx3q-8fqh https://github.com/advisories/GHSA-j2q8-xx3q-8fqh
plxx5l29dvplk5rwzdcq53rdfl6v4gs8 https://lists.apache.org/thread/plxx5l29dvplk5rwzdcq53rdfl6v4gs8
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/apache/storm
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://lists.apache.org/thread/plxx5l29dvplk5rwzdcq53rdfl6v4gs8
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-27T14:42:46Z/ Found at https://lists.apache.org/thread/plxx5l29dvplk5rwzdcq53rdfl6v4gs8
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-41081
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at http://www.openwall.com/lists/oss-security/2026/04/25/3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.33932
EPSS Score 0.0014
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:51:16.202669+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/41xxx/CVE-2026-41081.json 38.6.0