Deserialization Vulnerability in Apache Storm by Apache
CVE-2026-35337

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Storm Client
Vendor: CVE Published:; 13 April 2026

What is CVE-2026-35337?

The vulnerability in Apache Storm arises when it processes topology credentials via the Nimbus Thrift API. It deserializes base64-encoded TGT blobs using ObjectInputStream.readObject() without implementing necessary class filtering or validation. This allows an authenticated user with topology submission rights to insert a maliciously crafted serialized object into the 'TGT' credential field, potentially leading to remote code execution in both Nimbus and Worker JVMs. To address this, users are advised to upgrade to version 2.8.6 or apply a monkey-patch allowing only specific classes to be deserialized.

Affected Version(s)

Apache Storm Client 0 < 2.8.6

References

https://storm.apache.org/2026/04/12/storm286-released.html

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 13, 2026
Vulnerability Reserved
Apr 2, 2026

Credit

CVE-2026-35337 Data

JSON