CVE-2026-41081— Apache Storm Client: Anonymous principal assigned on TLS client certificate verification failure
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41081
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache Storm Client: Anonymous principal assigned on TLS client certificate verification failure
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection. This fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production. Impact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments. Mitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner. Users who cannot upgrade immediately should: - Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true) - Ensure authorization rules explicitly deny access to CN=ANONYMOUS - Review all ACL configurations for implicit default-allow behavior
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Storm 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Storm是美国阿帕奇(Apache)基金会的一套采用Clojure(并发编程语言)开发的开源分布式实时计算系统。 Apache Storm 2.8.7及之前版本存在授权问题漏洞,该漏洞源于TLS客户端认证失败处理不当导致匿名主体分配,可能造成未经授权的客户端绕过授权访问Storm服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache Storm Client | 0 ~ 2.8.7 | - |
II. Public POCs for CVE-2026-41081
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41081
Please Login to view more intelligence information
Same Patch Batch · Apache Software Foundation · 2026-04-27 · 13 CVEs total
| CVE-2026-41409 | 9.8 CRITICAL | Apache MINA: CWE-502 Deserialization of Untrusted Data |
| CVE-2026-41635 | 9.8 CRITICAL | Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter |
| CVE-2026-40557 | Apache Storm Prometheus Reporter: Disabling TLS verification for Prometheus Reporter also | |
| CVE-2026-27172 | Apache Camel: Unsafe Java deserialization in camel-consul ConsulRegistry allows arbitrary | |
| CVE-2026-33453 | Apache Camel: CoAP URI Query Parameter to Exchange Header Injection in camel-coap Allows S | |
| CVE-2026-33454 | Apache Camel: Inbound Header Filter Missing in MailHeaderFilterStrategy Allows Remote Code | |
| CVE-2026-40022 | Apache Camel Platform HTTP Main: Authentication Bypass on Non-Root Context Paths in camel | |
| CVE-2026-40858 | Apache Camel: Camel-Infinispan: Unsafe Deserialization in Remote Aggregation Repository | |
| CVE-2026-40453 | Apache Camel JMS, Apache Camel CoAP, Apache Camel Google PubSub: Incomplete fix for CVE-20 | |
| CVE-2026-40860 | Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel- | |
| CVE-2026-40048 | Apache Camel PQC: Unsafe Deserialization from FileBasedKeyLifecycleManager | |
| CVE-2026-40473 | Apache Camel Mina: Unsafe Deserialization in MinaConverter.toObjectInput() via TCP/UDP |
IV. Related Vulnerabilities
Same vendor: Apache Software Foundation
- CVE-2026-39816
Apache NiFi: Missing Execute Code Required Permission on Tin - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro - CVE-2026-25077
Apache CloudStack: Unauthenticated Command Injection in Dire - CVE-2025-69233
Apache CloudStack: Domain/account resources limits not honor - CVE-2025-66467
Apache CloudStack: MinIO policy remains intact on bucket del
Same weakness: CWE-287
- CVE-2026-41070
openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, all - CVE-2026-41574
Nhost Vulnerable to Account Takeover via OAuth Email Verific - CVE-2026-41671
Admidio: OIDC Token Introspection Endpoint Returns Active fo - CVE-2026-35579
CoreDNS TSIG authentication bypass on gRPC, QUIC, DoH, and D - CVE-2026-27960
OpenCTI privilege escalation and unauthenticated access via
V. Comments for CVE-2026-41081
No comments yet