Deserialization in Apache Software Foundation Storm Client

CVE-2026-35337

Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob usin…

Vulnerability class: Insecure Deserialization

EPSS: 0.003 (50.5th percentile) — read the EPSS interpretation.