Skip to main content

Apache NiFi EUVDEUVD-2026-38218

| CVE-2026-44911 LOW
Incorrect Authorization (CWE-863)
2.3
CVSS 4.0 · Vendor

Severity by source

Vendor (CNA) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:L/U:Amber
vuln.today AI
5.4 MEDIUM

Network-accessible REST API requires read-level authentication (PR:L); no special attack complexity once access exists; no persistent configuration change, so limited and symmetric C/I impact with no availability consequence.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:L/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
Jun 22, 2026 - 08:22 NVD
2.3 (LOW)
Analysis Generated
Jun 22, 2026 - 06:22 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Incorrect authorization enforcement in Apache NiFi 1.15.0 through 2.9.0 allows read-privileged users to submit configuration verification requests containing arbitrary proposed properties, bypassing the write-access requirement. The nifi-web-api REST endpoints for component configuration verification accepted proposed configuration overrides from any authenticated user with read access, enabling those users to invoke predefined verification methods - such as testing connectivity, credentials, or remote service endpoints - with attacker-supplied settings. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with read-only NiFi credentials
Delivery
Identify target component verification REST endpoint
Exploit
Craft POST request with attacker-supplied proposed configuration properties
Execution
Submit request to verify-configuration API
Persist
NiFi invokes predefined verification method with supplied settings
Impact
Extract feedback or probe downstream services

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated user account with at minimum read access to the Apache NiFi instance running versions 1.15.0 through 2.9.0, and the deployment must implement differentiated authorization levels where read-only access is distinct from write/modify access. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector or EPSS score was supplied, so quantitative risk metrics are inferred. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated read-only user on a multi-tenant Apache NiFi instance targeting a database processor crafts a REST API POST request to the processor's verify-configuration endpoint, supplying alternative JDBC connection properties containing attacker-controlled credentials and a target host. NiFi accepts the request due to insufficient authorization enforcement and invokes the database connectivity verification method with the supplied properties, attempting an outbound connection that could probe internal network services or validate credential pairs against downstream systems. …
Remediation Upgrade to Apache NiFi 2.10.0, which standardizes authorization handling for all configuration verification REST API resources to require write access before accepting proposed configuration properties. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Apache NiFi deployments and identify instances running versions 1.15.0 through 2.9.0; prioritize production environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Nifi

View all
CVE-2023-34468 HIGH POC
8.8 Jun 12

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authe

CVE-2017-5636 CRITICAL
9.8 Oct 19

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization

CVE-2018-1309 CRITICAL
9.8 May 23

Apache NiFi External XML Entity issue in SplitXML processor. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2023-36542 HIGH
8.8 Jul 29

Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retriev

CVE-2022-33140 HIGH
8.8 Jun 15

The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not ne

CVE-2019-12421 HIGH
8.8 Nov 19

When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiF

CVE-2021-20190 HIGH
8.1 Jan 19

A flaw was found in jackson-databind before 2.9.10.7. Rated high severity (CVSS 8.1), this vulnerability is remotely exp

CVE-2017-5635 HIGH
7.5 Oct 19

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to

CVE-2017-7667 HIGH
7.5 Jun 12

Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow frami

CVE-2026-44914 HIGH
7.5 Jun 20

Authorization bypass in Apache NiFi 1.12.0 through 2.9.0 allows authenticated users with general write access to add Res

CVE-2023-22832 HIGH
7.5 Feb 10

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references

CVE-2022-29265 HIGH
7.5 Apr 30

Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configu

Share

EUVD-2026-38218 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy