Improper TLS Client Authentication Management in Apache Storm by Apache Software Foundation
CVE-2026-41081

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Storm Client
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-41081?

Apache Storm, when configured with TLS transport but without mandatory client certificate authentication, may assign an anonymous principal identity (CN=ANONYMOUS) to clients without presenting a valid certificate. This occurs due to the mishandling of SSLPeerUnverifiedException and poses risks of unauthorized access to Storm services if the authorizer does not explicitly deny access. The event is logged at a debug level only, which diminishes visibility and increases the likelihood of exploitation. To mitigate, upgrade to version 2.8.7, enforce client certificate authentication, and review ACL configurations to prevent default-allow behaviors.

Affected Version(s)

Apache Storm Client 0 < 2.8.7

References

https://lists.apache.org/thread/plxx5l29dvplk5rwzdcq53rdf...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

CVE-2026-41081 Data

JSON