The Apache Storm community is pleased to announce the release of Apache Storm version 2.8.6.
Apache Storm is a distributed, fault-tolerant, and high-performance realtime computation system that provides strong guarantees on the processing of data. You can read more about Apache Storm on the project website: https://storm.apache.org/ Downloads of source and binary distributions are listed in our download section: https://storm.apache.org/downloads.html You can read more about this release in the following blog post: https://storm.apache.org/2026/04/12/storm286-released.html Note: This release fixes two CVEs: - CVE-2026-35337 - Deserialization of Untrusted Data vulnerability in Apache Storm - CVE-2026-35565 - Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI Distribution artifacts are available in Maven Central at the following coordinates: groupId: org.apache.storm artifactId: storm-{component} version: 2.8.6 The full list of changes is available here [1]. Please let us know [2] if you encounter any problems. Regards, The Apache Storm Team [1] https://dist.apache.org/repos/dist/release/storm/apache-storm-2.8.6/RELEASE_NOTES.html [2] https://github.com/apache/storm/issues
