Ddos 
Apache Storm, the distributed realtime computation system known for processing unbounded streams of data, has released a critical security update. Version 2.8.6 addresses two significant vulnerabilities that could allow authenticated users to execute code remotely or compromise administrator accounts through the platform’s user interface.
The most severe of the two flaws, CVE-2026-35337, carries an Important severity rating. It affects the Apache Storm Client (specifically storm-client).
When an authenticated user submits topology credentials through the Nimbus Thrift API, the system processes a base64-encoded Kerberos TGT (Ticket Granting Ticket) blob. Unfortunately, Storm was found to be using ObjectInputStream.readObject() to deserialize this data without any class filtering or validation.
By supplying a specially crafted serialized object in the “TGT” field, a user with topology submission rights can achieve Remote Code Execution (RCE) in both the Nimbus and Worker JVMs. This essentially gives an attacker the ability to run arbitrary commands with the same privileges as the Storm processes.
The second vulnerability, CVE-2026-35565, is a Moderate severity issue found in the Apache Storm UI.
The Storm UI visualization component is responsible for rendering the topology’s structure. It takes metadata—such as component IDs, stream names, and grouping values—and interpolates them directly into HTML. This is done using the innerHTML property in the parseNode() and parseEdge() functions without any sanitization.
An authenticated attacker can submit a topology containing malicious JavaScript in these identifiers. When an administrator views the topology in the UI, the payload triggers within their browser session. This leads to:
- Stored Cross-Site Scripting (XSS).
- Privilege Escalation, as the attacker’s script runs with the authority of the administrator’s browser session.
The primary recommendation for all users is to upgrade to version 2.8.6 immediately. If an immediate upgrade is not possible, the following workarounds have been suggested:
| Vulnerability | Temporary Workaround |
| RCE (CVE-2026-35337) |
Implement an |
| XSS (CVE-2026-35565) |
Patch the visualization JavaScript to HTML-escape all API-supplied values (e.g., |
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
