# CVE-2026-40557

> Vulnerability · severity: **MEDIUM** (CVSS 4.8).

## Description

Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter


Versions Affected: from 2.6.3 to 2.8.6


Description: 

In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon.


The PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare() → INSECURE_CONNECTION_FACTORY → SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials.




Mitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate.

## Key facts

- **CVE ID:** CVE-2026-40557
- **Published:** 2026-04-27
- **CVSS severity:** MEDIUM
- **CVSS base score:** 4.8
- **CWE codes:** CWE-295

## Affected products

- `apache:storm_prometheus_reporter`

## Primary sources

- NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40557

## Citation

> AI Analytics. CVE-2026-40557. Retrieved 2026-07-19 from https://api.ai-analytics.org/cve/CVE-2026-40557. Derived from NIST NVD. Licensed CC0.

---

*[Dataset catalog](https://api.ai-analytics.org/datasets/) · [AI Analytics](https://api.ai-analytics.org/) · CC0 1.0*