A vulnerability was found in Apache Storm Client up to 2.8.5 . It has been declared as critical . Affected is the function ObjectInputStream.readObject of the component Kerberos TGT Credential Handler . The manipulation results in deserialization. This vulnerability was named CVE-2026-35337 . The attack may be performed from remote. There is no available exploit. It is recommended to upgrade the affected component.