CVE-2026-41081

Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm<br /> <br /> Versions Affected: up to 2.8.7<br /> <br /> Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection.<br /> <br /> This fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production.<br /> <br /> Impact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments.<br /> <br /> Mitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner.<br /> <br /> Users who cannot upgrade immediately should:<br /> - Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true)<br /> - Ensure authorization rules explicitly deny access to CN=ANONYMOUS<br /> - Review all ACL configurations for implicit default-allow behavior