Download

Apache Storm 2.8.6 Released

The Apache Storm community is pleased to announce that version 2.8.6 has been released and is available from the downloads page.

This release includes security fixes, new features, bug fixes, and library updates. We encourage users of previous versions to upgrade to this latest release.

Thanks

Special thanks are due to all those who have contributed to Apache Storm -- whether through direct code contributions, documentation, bug reports, or helping other users on the mailing lists. Your efforts are much appreciated.

Changes in this Release - Storm 2.8.6

JIRA issues addressed in the 2.8.6 release of Storm. Documentation for this release is available at the Apache Storm project site.

Security Fixes

CVE-2026-35337 - Deserialization of Untrusted Data vulnerability in Apache Storm

Versions Affected: before 2.8.6.

Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.

Mitigation: 2.x users should upgrade to 2.8.6.

Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies; see for details.

Credit: This issue was discovered by K.

CVE-2026-35565 - Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI

Versions Affected: before 2.8.6.

Description: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers, resulting in stored cross-site scripting. In multi-tenant deployments, this enables privilege escalation through script execution in an admin's browser session.

Mitigation: 2.x users should upgrade to 2.8.6.

Users wh ocannot upgrade immediately should monkey-patch the related escaping; see for details.

Credit: This issue was discovered while investigating another report by K.

Enhancements

  • [#8483] - Migrate to Java 24+ compatible security APIs and add Java 25 to CI
  • [#8452] - Passing Conf object to KryoDecorator
  • [#8305] - Improve dev-tools/release_notes.py to deal with multiple tags in an issue

Dependency upgrades

  • [#8502] - Bump com.google.errorprone:error_prone_annotations from 2.48.0 to 2.49.0
  • [#8501] - Bump redis.clients:jedis from 7.4.0 to 7.4.1
  • [#8500] - Bump cytoscape from 3.33.1 to 3.33.2 in /storm-webapp
  • [#8499] - Bump lodash from 4.17.23 to 4.18.1 in /storm-webapp
  • [#8497] - Bump io.netty:netty-bom from 4.2.10.Final to 4.2.12.Final
  • [#8496] - Bump jetty.version from 12.1.7 to 12.1.8
  • [#8495] - Bump activemq.version from 6.2.1 to 6.2.3
  • [#8494] - Bump hadoop.version from 3.4.3 to 3.5.0
  • [#8493] - Bump start-server-and-test from 2.1.5 to 3.0.0 in /storm-webapp
  • [#8492] - Bump mini-css-extract-plugin from 2.10.1 to 2.10.2 in /storm-webapp
  • [#8491] - Bump webpack-cli from 7.0.0 to 7.0.2 in /storm-webapp
  • [#8490] - Bump cypress from 15.12.0 to 15.13.0 in /storm-webapp
  • [#8489] - Bump actions/upload-artifact from 4.6.2 to 7.0.0
  • [#8488] - Bump actions/setup-node from 4.4.0 to 6.3.0
  • [#8487] - Bump actions/download-artifact from 4.3.0 to 8.0.1
  • [#8476] - Bump org.rocksdb:rocksdbjni from 10.2.1 to 10.10.1
  • [#8475] - Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.14
  • [#8474] - Bump org.apache.maven.plugins:maven-shade-plugin from 3.6.1 to 3.6.2
  • [#8473] - Bump netty-tcnative.version from 2.0.74.Final to 2.0.75.Final
  • [#8472] - Bump com.fasterxml.jackson:jackson-bom from 2.21.1 to 2.21.2
  • [#8471] - Bump io.netty:netty-bom from 4.2.10.Final to 4.2.12.Final
  • [#8470] - Bump joda-time:joda-time from 2.14.0 to 2.14.1
  • [#8469] - Bump byte-buddy.version from 1.18.5 to 1.18.8
  • [#8468] - Bump storm.kafka.client.version from 4.1.1 to 4.2.0
  • [#8467] - Bump activemq.version from 6.2.1 to 6.2.3
  • [#8466] - Bump org.apache.logging.log4j:log4j-bom from 2.25.3 to 2.25.4
  • [#8465] - Bump prometheus.client.version from 1.5.0 to 1.5.1
  • [#8464] - Bump org.checkerframework:checker-qual from 3.53.1 to 3.54.0
  • [#8463] - Bump com.github.eirslett:frontend-maven-plugin from 1.15.1 to 2.0.0
  • [#8462] - Bump redis.clients:jedis from 7.3.0 to 7.4.0
  • [#8461] - Bump commons-logging:commons-logging from 1.3.5 to 1.3.6
  • [#8460] - Bump spring.version from 7.0.5 to 7.0.6
  • [#8459] - Bump jetty.version from 12.1.6 to 12.1.7
  • [#8458] - Bump com.fasterxml.jackson.core:jackson-databind from 2.21.1 to 2.21.2
  • [#8447] - Bump serialize-javascript from 7.0.4 to 7.0.5 in /storm-webapp
  • [#8437] - Bump ruby/setup-ruby from 1.295.0 to 1.298.0
  • [#8436] - Bump picomatch from 4.0.3 to 4.0.4 in /storm-webapp

Bug fixing

  • [#8456] - Storm 2.8.5 GUI using scientific notation in columns for large numbers
  • [#8442] - Fix NPE in getSupervisorPageInfo for unknown hostnames
  • [#8441] - Fix NPE in mkAssignments when assignment is deleted during scheduling
  • [#8440] - Fix corrupted record counter in SequenceFileReader.Offset.increment()
  • [#8457] - Fix scientific notation display for large numbers in Storm UI table