CVE-2026-35337: CWE-502 Deserialization of Untrusted Data in Apache Software Fou Apache Storm versions prior to 2.8.6 deserialize base64-encoded TGT blobs from topology credentials using ObjectInputStream.readObject() without any class filtering or validation. This unsafe deserialization allows an authenticated user wit

Apache Storm Client pre-2.8.6 hit by CRITICAL deserialization flaw — authenticated users can achieve RCE on Nimbus/Worker JVMs. Upgrade to 2.8.6 or restrict deserialization classes ASAP. radar.offseq.com/threat/cve-2026-35337-cw... #OffSeq #ApacheSto...