Improper Certificate Validation Vulnerability in Apache Storm by Apache
CVE-2026-40557

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Storm Prometheus Reporter
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-40557?

A security flaw in Apache Storm's Prometheus Metrics Reporter allows improper certificate validation when specific configurations are applied. This misconfiguration notably occurs when the 'storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation' option is enabled, which inadvertently alters the global SSL context for all TLS communications within the Storm daemon. This leads to a scenario where all subsequent HTTPS connections—including sensitive ones to ZooKeeper and administrative interfaces—accept any SSL certificates, creating a significant risk of man-in-the-middle attacks that can compromise sensitive data such as administrative credentials and cluster states.

Affected Version(s)

Apache Storm Prometheus Reporter 2.6.3 < 2.8.7

References

https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3w...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 14, 2026

Credit

CVE-2026-40557 Data

JSON