CVE-2026-40557 - Vulnerability Details

Link	Providers
http://www.openwall.com/lists/oss-security/2026/04/25/2
https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/04/25/2

Type	Values Removed	Values Added
Description		Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Description: In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon. The PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare() → INSECURE_CONNECTION_FACTORY → SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials. Mitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate.
Title		Apache Storm Prometheus Reporter: Disabling TLS verification for Prometheus Reporter also disables it for all other connections
Weaknesses		CWE-295
References		https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40557", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-04-14T11:20:51.218Z", "datePublished": "2026-04-27T13:12:11.118Z", "dateUpdated": "2026-04-27T13:36:44.872Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected", "packageName": "org.apache.storm:storm-metrics-prometheus", "product": "Apache Storm Prometheus Reporter", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.8.7", "status": "affected", "version": "2.6.3", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "K"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter\nVersions Affected: from 2.6.3 to 2.8.6\nDescription: In production deployments where an administrator enables <code>storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation </code>(by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon. The <code>PrometheusPreparableReporter</code> class implements an <code>INSECURE_TRUST_MANAGER</code> that accepts all SSL certificates without validation, with empty <code>checkClientTrusted</code> and <code>checkServerTrusted</code> methods. Most critically, when the <code>storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation</code> configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the <code>INSECURE_CONNECTION_FACTORY</code> calls <code>SSLContext.setDefault(sslContext)</code>, which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration \u2192 <code>PrometheusPreparableReporter.prepare()</code> \u2192 <code>INSECURE_CONNECTION_FACTORY</code> \u2192 <code>SSLContext.setDefault()</code>, resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials. \n\nMitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the <code>storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true</code> setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate. \n "}], "value": "Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter\n\n\nVersions Affected: from 2.6.3 to 2.8.6\n\n\nDescription:\u00a0\n\nIn production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation\u00a0(by default it is disabled)\u00a0intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon.\n\n\nThe PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration \u2192 PrometheusPreparableReporter.prepare() \u2192 INSECURE_CONNECTION_FACTORY \u2192 SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials.\n\n\n\n\nMitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "CWE-295 Improper Certificate Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-27T13:12:11.118Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Storm Prometheus Reporter: Disabling TLS verification for Prometheus Reporter also disables it for all other connections", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/25/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-27T13:36:44.872Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter\n\n\nVersions Affected: from 2.6.3 to 2.8.6\n\n\nDescription:\u00a0\n\nIn production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation\u00a0(by default it is disabled)\u00a0intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon.\n\n\nThe PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration \u2192 PrometheusPreparableReporter.prepare() \u2192 INSECURE_CONNECTION_FACTORY \u2192 SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials.\n\n\n\n\nMitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate."}], "id": "CVE-2026-40557", "lastModified": "2026-04-27T14:16:48.017", "metrics": {}, "published": "2026-04-27T14:16:48.017", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/25/2"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "security@apache.org", "type": "Primary"}]}

Metrics

Affected Vendors & Products

Projects

Metrics

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object