{"api_version":"1","generated_at":"2026-04-28T15:13:54+00:00","cve":"CVE-2026-40557","urls":{"html":"https://cve.report/CVE-2026-40557","api":"https://cve.report/api/cve/CVE-2026-40557.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-40557","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-40557"},"summary":{"title":"Apache Storm Prometheus Reporter: Disabling TLS verification for Prometheus Reporter also disables it for all other connections","description":"Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter\n\n\nVersions Affected: from 2.6.3 to 2.8.6\n\n\nDescription: \n\nIn production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon.\n\n\nThe PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare() → INSECURE_CONNECTION_FACTORY → SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials.\n\n\n\n\nMitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate.","state":"PUBLISHED","assigner":"apache","published_at":"2026-04-27 14:16:48","updated_at":"2026-04-27 18:57:20"},"problem_types":["CWE-295","CWE-295 CWE-295 Improper Certificate Validation"],"metrics":[],"references":[{"url":"http://www.openwall.com/lists/oss-security/2026/04/25/2","name":"http://www.openwall.com/lists/oss-security/2026/04/25/2","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq","name":"https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq","refsource":"security@apache.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-40557","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40557","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Apache Software Foundation","product":"Apache Storm Prometheus Reporter","version":"affected 2.6.3 2.8.7 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"K","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2026-04-27T13:36:44.872Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"http://www.openwall.com/lists/oss-security/2026/04/25/2"}],"title":"CVE Program Container"}],"cna":{"affected":[{"collectionURL":"https://repo.maven.apache.org/maven2/","defaultStatus":"unaffected","packageName":"org.apache.storm:storm-metrics-prometheus","product":"Apache Storm Prometheus Reporter","vendor":"Apache Software Foundation","versions":[{"lessThan":"2.8.7","status":"affected","version":"2.6.3","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"K"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter

\n

Versions Affected: from 2.6.3 to 2.8.6

\n

Description: 

In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon.

The PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare()INSECURE_CONNECTION_FACTORYSSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials.

\n\n

Mitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate.

\n
"}],"value":"Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter\n\n\nVersions Affected: from 2.6.3 to 2.8.6\n\n\nDescription: \n\nIn production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon.\n\n\nThe PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare() → INSECURE_CONNECTION_FACTORY → SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials.\n\n\n\n\nMitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate."}],"metrics":[{"other":{"content":{"text":"moderate"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-295","description":"CWE-295 Improper Certificate Validation","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-27T13:12:11.118Z","orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache"},"references":[{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq"}],"source":{"discovery":"EXTERNAL"},"title":"Apache Storm Prometheus Reporter: Disabling TLS verification for Prometheus Reporter also disables it for all other connections","x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","assignerShortName":"apache","cveId":"CVE-2026-40557","datePublished":"2026-04-27T13:12:11.118Z","dateReserved":"2026-04-14T11:20:51.218Z","dateUpdated":"2026-04-27T13:36:44.872Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-27 14:16:48","lastModifiedDate":"2026-04-27 18:57:20","problem_types":["CWE-295","CWE-295 CWE-295 Improper Certificate Validation"],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"40557","Ordinal":"1","Title":"Apache Storm Prometheus Reporter: Disabling TLS verification for","CVE":"CVE-2026-40557","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"40557","Ordinal":"1","NoteData":"Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter\n\n\nVersions Affected: from 2.6.3 to 2.8.6\n\n\nDescription: \n\nIn production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon.\n\n\nThe PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare() → INSECURE_CONNECTION_FACTORY → SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials.\n\n\n\n\nMitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate.","Type":"Description","Title":"Apache Storm Prometheus Reporter: Disabling TLS verification for"}]}}}