{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41081", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-04-16T17:22:43.617Z", "datePublished": "2026-04-27T13:10:45.886Z", "dateUpdated": "2026-04-27T14:43:31.605Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected", "packageName": "org.apache.storm:storm-client", "product": "Apache Storm Client", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.8.7", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "K"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<b>Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm</b><br><br><b>Versions Affected:</b> up to 2.8.7<br><br><b>Description: </b>When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection.<br><br>This fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production.<br><br><b>Impact:</b> Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments.<br><br><b>Mitigation:</b> Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner.<br><br><b>Users who cannot upgrade immediately should:</b><br>- Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true)<br>- Ensure authorization rules explicitly deny access to CN=ANONYMOUS<br>- Review all ACL configurations for implicit default-allow behavior<br>"}], "value": "Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm\n\nVersions Affected: up to 2.8.7\n\nDescription: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection.\n\nThis fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production.\n\nImpact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments.\n\nMitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner.\n\nUsers who cannot upgrade immediately should:\n- Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true)\n- Ensure authorization rules explicitly deny access to CN=ANONYMOUS\n- Review all ACL configurations for implicit default-allow behavior"}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-27T13:10:45.886Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/plxx5l29dvplk5rwzdcq53rdfl6v4gs8"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Storm Client: Anonymous principal assigned on TLS client certificate verification failure", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/25/3"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-27T13:36:46.761Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T14:42:46.312578Z", "id": "CVE-2026-41081", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T14:43:31.605Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/25/3"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-27T13:36:46.761Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-41081", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T14:42:46.312578Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T14:40:10.400Z"}}], "cna": {"title": "Apache Storm Client: Anonymous principal assigned on TLS client certificate verification failure", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "K"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Storm Client", "versions": [{"status": "affected", "version": "0", "lessThan": "2.8.7", "versionType": "semver"}], "packageName": "org.apache.storm:storm-client", "collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/plxx5l29dvplk5rwzdcq53rdfl6v4gs8", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm\n\nVersions Affected: up to 2.8.7\n\nDescription: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection.\n\nThis fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production.\n\nImpact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments.\n\nMitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner.\n\nUsers who cannot upgrade immediately should:\n- Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true)\n- Ensure authorization rules explicitly deny access to CN=ANONYMOUS\n- Review all ACL configurations for implicit default-allow behavior", "supportingMedia": [{"type": "text/html", "value": "<b>Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm</b><br><br><b>Versions Affected:</b> up to 2.8.7<br><br><b>Description: </b>When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection.<br><br>This fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production.<br><br><b>Impact:</b> Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments.<br><br><b>Mitigation:</b> Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner.<br><br><b>Users who cannot upgrade immediately should:</b><br>- Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true)<br>- Ensure authorization rules explicitly deny access to CN=ANONYMOUS<br>- Review all ACL configurations for implicit default-allow behavior<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-27T13:10:45.886Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41081", "state": "PUBLISHED", "dateUpdated": "2026-04-27T14:43:31.605Z", "dateReserved": "2026-04-16T17:22:43.617Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-27T13:10:45.886Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:storm:*:*:*:*:*:*:*:*", "matchCriteriaId": "9286B022-3864-4ED1-B740-F1BD9B79820F", "versionEndExcluding": "2.8.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm\n\nVersions Affected: up to 2.8.7\n\nDescription: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection.\n\nThis fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production.\n\nImpact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments.\n\nMitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner.\n\nUsers who cannot upgrade immediately should:\n- Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true)\n- Ensure authorization rules explicitly deny access to CN=ANONYMOUS\n- Review all ACL configurations for implicit default-allow behavior"}], "id": "CVE-2026-41081", "lastModified": "2026-04-28T19:46:06.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-27T14:16:48.167", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/plxx5l29dvplk5rwzdcq53rdfl6v4gs8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/04/25/3"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.8.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Apache Storm Client", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "storm", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-28T04:26:31.510319+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Storm to version 2.8.7, where TLS failures are handled fail\u2011closed.", "If an upgrade cannot be performed immediately, enable mandatory client certificate authentication by setting nimbus.thrift.tls.client.auth.required to true in the Storm configuration.", "Configure ACLs to explicitly deny the CN=ANONYMOUS principal or review existing ACLs for implicit default\u2011allow settings to prevent unintended access."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access via Fallback Principal"}, "threat_synthesis": {"affected_systems": "The affected product is Apache Storm Client from the Apache Software Foundation. Versions up to and including 2.8.7 are vulnerable. The failure occurs when TLS transport is enabled but client authentication is not enforced.", "description_and_impact": "The vulnerability involves improper handling of TLS client authentication failure in Apache Storm's TlsTransportPlugin. When TLS transport is enabled without requiring client certificates, a missing or failed verification causes the plugin to capture and ignore SSLPeerUnverifiedException, then assigns the fallback principal CN=ANONYMOUS. This fail\u2011open behavior allows an unauthenticated client to connect over TLS and receive a valid principal identity. If the authorizer, such as SimpleACLAuthorizer, does not deny this principal, the client may gain unauthorized access to Storm services. This flaw is a form of authentication bypass (CWE-287).", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity. The EPSS score is not available, so exploitation likelihood cannot be determined, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this flaw by establishing a TLS connection to any Storm cluster whose configuration does not require client certificates or whose authorizer does not explicitly deny the CN=ANONYMOUS principal. Because the exploitation requires no special privileges or advanced payloads, the threat is accessible to any network actor who can reach the Storm service."}}}}, "created": "2026-04-28T04:30:21.152062+00:00", "updated": "2026-04-28T09:17:09.010053+00:00", "vendors": ["apache", "apache$PRODUCT$storm"]}