Apache Storm 2.x RCE (CVE-2026-35337) and Stored XSS (CVE-2026-35565) Advisory

Vulnerability Overview CVE-2026-35337 - Untrusted Data Deserialization Vulnerability Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes base64-encoded TGT keys using without performing any class filtering or validation. An authenticated user with topology submission privileges can provide a crafted serialized object in the “TGT” credential field, leading to remote code execution in both Nimbus and Worker JVMs. Affected Versions: Versions prior to 2.8.6 Remediation: 2.x users should upgrade to 2.8.6. Users unable to upgrade immediately should monkey-patch an allow-list into , restricting deserialized classes to and its known dependencies; see link. Discoverer: K CVE-2026-35565 - Stored Cross-Site Scripting (XSS) in Storm UI via Unfiltered Topology Metadata Description: The Storm UI visualization component directly inserts topology metadata (including component IDs, stream names, and grouping values) into HTML via in and , without any escaping. An authenticated user with topology submission privileges can create a topology containing malicious HTML/JavaScript in the component identifiers, resulting in stored cross-site scripting. In multi-tenant deployments, this allows privilege escalation via script execution in the administrator’s browser. Affected Versions: Versions prior to 2.8.6 Remediation: 2.x users should upgrade to 2.8.6. Users unable to upgrade immediately should monkey-patch the relevant escaping logic; see link. Discoverer: K Remediation Upgrade to Apache Storm version 2.8.6. For users unable to upgrade immediately, apply the aforementioned monkey-patch measures. POC Code or Exploit Code No specific POC code or exploit code is provided on the page.

Goal Reached Thanks to every supporter — we hit 100%!

Apache Storm 2.x RCE (CVE-2026-35337) and Stored XSS (CVE-2026-35565) Advisory