GHSA-r2g5-993q-664g
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:L/U:Clear
Network-reachable REST API with authenticated low-privileged write user (PR:L); AC:H because the target must have Restricted-component authorization configured; full impact via arbitrary Restricted-processor execution.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:L/U:Clear
Lifecycle Timeline
5Description PRE-NVD
AnalysisAI
Authorization bypass in Apache NiFi 1.12.0 through 2.9.0 allows authenticated users with general write access to add Restricted-annotated extension components when replacing Process Groups, despite lacking the explicit Restricted-component privilege. The flaw stems from the framework failing to enforce Restricted-annotation checks during Process Group replacement, effectively letting privileged-component installation bypass its intended authorization boundary. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must hold an authenticated NiFi account with 'write' permission on at least one Process Group, and the target NiFi installation must be on the 1.12.0-2.8.x line with Restricted-component authorization policies actually configured (per the advisory, installations that do not implement Restricted-component authorization are not subject to this vulnerability because plain write permission is already the boundary). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-supplied CVSS 4.0 vector rates this 7.5 (PR:H, AT:P, network attack vector, full vulnerable-system C/I/A impact), which already accounts for two meaningful gating factors: an authenticated account with write permissions and a deployment that actually configures Restricted-component policies. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated NiFi user with write access to a Process Group - for example a dataflow developer in a multi-tenant cluster - crafts a replacement Process Group definition that includes a Restricted component such as ExecuteScript or a custom processor that interacts with the host file system. They submit it through the Process Group replace API, the framework skips the Restricted-annotation authorization check, and the new component runs as the NiFi service account, yielding command execution on the host. … |
| Remediation | Vendor-released patch: upgrade to Apache NiFi 2.9.0, which removes the framework's Restricted-status authorization model and shifts the boundary to standard write permissions (see https://nifi.apache.org/ and the NIFI-15845 issue at https://issues.apache.org/jira/browse/NIFI-15845). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Apache NiFi deployments using versions 1.12.0-2.9.0 and document systems at risk. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authe
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization
Apache NiFi External XML Entity issue in SplitXML processor. Rated critical severity (CVSS 9.8), this vulnerability is r
Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retriev
The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not ne
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiF
A flaw was found in jackson-databind before 2.9.10.7. Rated high severity (CVSS 8.1), this vulnerability is remotely exp
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to
Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow frami
The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configu
In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connectio
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38219