GHSA-8vm2-c32j-mvfr
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:D/RE:L/U:Green
Network-reachable without authentication via crafted HTTP headers; impact limited to URL/redirect manipulation, not data exfiltration or code execution, yielding C:L/I:L/A:N.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:D/RE:L/U:Green
Lifecycle Timeline
3Description PRE-NVD
AnalysisAI
Host header injection in Apache NiFi 0.0.1 through 2.9.0 enables network-accessible clients to supply arbitrary values via X-ProxyHost and X-Forwarded-Host HTTP headers, causing the application to construct attacker-controlled qualified URLs used in HTTP redirects and data references. Although NiFi introduced an allowlist-based Host header control (nifi.web.proxy.host) in version 1.6.0, that validation was never extended to the alternative proxy and forwarded headers, leaving a persistent gap across roughly a decade of releases. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerability is exploitable on any Apache NiFi 0.0.1-2.9.0 instance reachable over the network where an upstream reverse proxy does not strip or validate the X-ProxyHost or X-Forwarded-Host headers before forwarding requests to NiFi. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No official CVSS score, EPSS probability, or SSVC decision data has been published for CVE-2026-54665 at time of analysis, so risk must be assessed from first principles. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to NiFi's web interface sends a crafted HTTP request containing a malicious value in the X-Forwarded-Host header (e.g., X-Forwarded-Host: attacker.example.com). NiFi accepts the unvalidated value and constructs a qualified redirect URL pointing to the attacker's domain, which is then returned in an HTTP Location header during a login or OAuth callback flow. … |
| Remediation | Vendor-released patch: Apache NiFi 2.10.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Apache NiFi deployments and versions; prioritize internet-facing or untrusted-network-accessible instances for immediate investigation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authe
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization
Apache NiFi External XML Entity issue in SplitXML processor. Rated critical severity (CVSS 9.8), this vulnerability is r
Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retriev
The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not ne
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiF
A flaw was found in jackson-databind before 2.9.10.7. Rated high severity (CVSS 8.1), this vulnerability is remotely exp
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to
Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow frami
Authorization bypass in Apache NiFi 1.12.0 through 2.9.0 allows authenticated users with general write access to add Res
The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configu
Same weakness CWE-346 – Origin Validation Error
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38216