CVE-2026-41081: Apache Storm TLS Client Certificate Verification Bypass Leads to Anonymous Principal Assignment

# CVE-2026-41081: Apache Storm Client Anonymous Principal Assignment Vulnerability ## Vulnerability Overview - **Vulnerability Name**: Apache Storm Client: Anonymous principal assigned on TLS client certificate verification failure - **Severity**: Moderate - **Description**: When TLS transport is enabled in Apache Storm but client certificate authentication is not required (default configuration), the `TlsTransportPlugin` assigns a fallback principal (`CN=ANONYMOUS`) instead of rejecting the connection if no client certificate is provided or if certificate verification fails. - **Impact**: Unauthenticated users may gain unauthorized access to Storm services. If the configured authorizer (such as `SimpleACLAuthorizer`) does not explicitly deny access to `CN=ANONYMOUS`, unauthorized clients may be assigned a principal identity, thereby bypassing access control mechanisms. ## Affected Scope - **Affected Versions**: Apache Storm Client (`org.apache.storm:storm-client`) versions prior to 2.8.7. - **Affected Components**: Up to version 2.8.7. ## Remediation - **Recommended Fix**: Users should upgrade to version 2.8.7, which handles TLS authentication failures in a "fail-closed" manner. - **Temporary Mitigation (if immediate upgrade is not possible)**: - Enable mandatory client certificate authentication: ```properties nimbus.thrift.client.auth.required: true ``` - Ensure that authorization rules explicitly deny access to `CN=ANONYMOUS`. - Review ACL configurations to eliminate implicit default-allow behaviors.

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-41081: Apache Storm TLS Client Certificate Verification Bypass Leads to Anonymous Principal Assignment