GHSA-j2q8-xx3q-8fqh · Severity: medium · Ecosystem: maven — Apache Storm's Improper Handling of TLS Client Authentication Failure Leads to Anonymous Principal Assignment
Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection. This fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production. Impact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments. Mitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner. Users who cannot upgrade immediately should: - Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true) - Ensure authorization rules explicitly deny access to CN=ANONYMOUS - Review all ACL configurations for implicit default-allow behavior
Conclusion & alert: CVE-2026-41081 is rated Low Risk (33.2/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.29%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.09% | 0.29% | +0.19% |
| 2 | 2026-04-29 | 0.04% | 0.09% | +0.06% |
| 3 | 2026-04-28 | — | 0.04% | — |
Full EPSS history (3 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.5 | 3.1 | MEDIUM |
|
3.9 | 2.5 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-j2q8-xx3q-8fqh · Severity: medium · Ecosystem: maven — Apache Storm's Improper Handling of TLS Client Authentication Failure Leads to Anonymous Principal Assignment
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/plxx5l29dvplk5rwzdcq53rdfl6v4gs8 | Mailing List Vendor Advisory |
| http://www.openwall.com/lists/oss-security/2026/04/25/3 | Mailing List Third Party Advisory |