Shodan
Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-41081

Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection. This fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production. Impact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments. Mitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner. Users who cannot upgrade immediately should: - Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true) - Ensure authorization rules explicitly deny access to CN=ANONYMOUS - Review all ACL configurations for implicit default-allow behavior
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 11.0%
CVSS Severity
CVSS v3 Score 6.5
Products affected by CVE-2026-41081
  • Apache » Storm » Version: 0.10.0
    cpe:2.3:a:apache:storm:0.10.0
  • Apache » Storm » Version: 0.10.1
    cpe:2.3:a:apache:storm:0.10.1
  • Apache » Storm » Version: 0.10.2
    cpe:2.3:a:apache:storm:0.10.2
  • Apache » Storm » Version: 0.9.0
    cpe:2.3:a:apache:storm:0.9.0
  • Apache » Storm » Version: 0.9.0.1
    cpe:2.3:a:apache:storm:0.9.0.1
  • Apache » Storm » Version: 0.9.1
    cpe:2.3:a:apache:storm:0.9.1
  • Apache » Storm » Version: 0.9.2
    cpe:2.3:a:apache:storm:0.9.2
  • Apache » Storm » Version: 0.9.3
    cpe:2.3:a:apache:storm:0.9.3
  • Apache » Storm » Version: 0.9.4
    cpe:2.3:a:apache:storm:0.9.4
  • Apache » Storm » Version: 0.9.5
    cpe:2.3:a:apache:storm:0.9.5
  • Apache » Storm » Version: 0.9.6
    cpe:2.3:a:apache:storm:0.9.6
  • Apache » Storm » Version: 0.9.7
    cpe:2.3:a:apache:storm:0.9.7
  • Apache » Storm » Version: 1.0
    cpe:2.3:a:apache:storm:1.0
  • Apache » Storm » Version: 1.0.0
    cpe:2.3:a:apache:storm:1.0.0
  • Apache » Storm » Version: 1.0.1
    cpe:2.3:a:apache:storm:1.0.1
  • Apache » Storm » Version: 1.0.2
    cpe:2.3:a:apache:storm:1.0.2
  • Apache » Storm » Version: 1.0.3
    cpe:2.3:a:apache:storm:1.0.3
  • Apache » Storm » Version: 1.0.4
    cpe:2.3:a:apache:storm:1.0.4
  • Apache » Storm » Version: 1.0.5
    cpe:2.3:a:apache:storm:1.0.5
  • Apache » Storm » Version: 1.0.6
    cpe:2.3:a:apache:storm:1.0.6
  • Apache » Storm » Version: 1.0.7
    cpe:2.3:a:apache:storm:1.0.7
  • Apache » Storm » Version: 1.1
    cpe:2.3:a:apache:storm:1.1
  • Apache » Storm » Version: 1.1.0
    cpe:2.3:a:apache:storm:1.1.0
  • Apache » Storm » Version: 1.1.1
    cpe:2.3:a:apache:storm:1.1.1
  • Apache » Storm » Version: 1.1.2
    cpe:2.3:a:apache:storm:1.1.2
  • Apache » Storm » Version: 1.1.3
    cpe:2.3:a:apache:storm:1.1.3
  • Apache » Storm » Version: 1.2.0
    cpe:2.3:a:apache:storm:1.2.0
  • Apache » Storm » Version: 1.2.1
    cpe:2.3:a:apache:storm:1.2.1
  • Apache » Storm » Version: 1.2.2
    cpe:2.3:a:apache:storm:1.2.2
  • Apache » Storm » Version: 1.2.3
    cpe:2.3:a:apache:storm:1.2.3
  • Apache » Storm » Version: 1.2.4
    cpe:2.3:a:apache:storm:1.2.4
  • Apache » Storm » Version: 2.0.0
    cpe:2.3:a:apache:storm:2.0.0
  • Apache » Storm » Version: 2.1.0
    cpe:2.3:a:apache:storm:2.1.0
  • Apache » Storm » Version: 2.1.1
    cpe:2.3:a:apache:storm:2.1.1
  • Apache » Storm » Version: 2.2.0
    cpe:2.3:a:apache:storm:2.2.0
  • Apache » Storm » Version: 2.2.1
    cpe:2.3:a:apache:storm:2.2.1
  • Apache » Storm » Version: 2.3.0
    cpe:2.3:a:apache:storm:2.3.0
  • Apache » Storm » Version: 2.4.0
    cpe:2.3:a:apache:storm:2.4.0
  • Apache » Storm » Version: 2.5.0
    cpe:2.3:a:apache:storm:2.5.0
  • Apache » Storm » Version: 2.6.0
    cpe:2.3:a:apache:storm:2.6.0
  • Apache » Storm » Version: 2.6.1
    cpe:2.3:a:apache:storm:2.6.1
  • Apache » Storm » Version: 2.6.2
    cpe:2.3:a:apache:storm:2.6.2
  • Apache » Storm » Version: 2.6.3
    cpe:2.3:a:apache:storm:2.6.3
  • Apache » Storm » Version: 2.6.4
    cpe:2.3:a:apache:storm:2.6.4
  • Apache » Storm » Version: 2.7.0
    cpe:2.3:a:apache:storm:2.7.0
  • Apache » Storm » Version: 2.7.1
    cpe:2.3:a:apache:storm:2.7.1
  • Apache » Storm » Version: 2.8.0
    cpe:2.3:a:apache:storm:2.8.0
  • Apache » Storm » Version: 2.8.1
    cpe:2.3:a:apache:storm:2.8.1
  • Apache » Storm » Version: 2.8.2
    cpe:2.3:a:apache:storm:2.8.2
  • Apache » Storm » Version: 2.8.3
    cpe:2.3:a:apache:storm:2.8.3
  • Apache » Storm » Version: 2.8.4
    cpe:2.3:a:apache:storm:2.8.4
  • Apache » Storm » Version: 2.8.5
    cpe:2.3:a:apache:storm:2.8.5
  • Apache » Storm » Version: 2.8.6
    cpe:2.3:a:apache:storm:2.8.6


Products
Pricing
Contact Us

Shodan ® - All rights reserved