Skip to main content

Apache NiFi EUVDEUVD-2026-38219

| CVE-2026-44914 HIGH
Missing Authorization (CWE-862)
7.5
CVSS 4.0 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
7.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:L/U:Clear
vuln.today AI
7.5 HIGH

Network-reachable REST API with authenticated low-privileged write user (PR:L); AC:H because the target must have Restricted-component authorization configured; full impact via arbitrary Restricted-processor execution.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:L/U:Clear
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
P

Lifecycle Timeline

5
Analysis Updated
Jun 22, 2026 - 08:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 22, 2026 - 08:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 22, 2026 - 08:22 vuln.today
cvss_changed
CVSS changed
Jun 22, 2026 - 08:22 NVD
7.5 (HIGH)
Analysis Generated
Jun 22, 2026 - 06:23 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Authorization bypass in Apache NiFi 1.12.0 through 2.9.0 allows authenticated users with general write access to add Restricted-annotated extension components when replacing Process Groups, despite lacking the explicit Restricted-component privilege. The flaw stems from the framework failing to enforce Restricted-annotation checks during Process Group replacement, effectively letting privileged-component installation bypass its intended authorization boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate as low-privileged NiFi user
Delivery
Identify writable Process Group
Exploit
Craft replacement flow with Restricted component
Install
Submit Process Group replace request
C2
Framework skips Restricted authorization check
Execute
Restricted processor instantiates and executes
Impact
Code execution as NiFi service account

Vulnerability AssessmentAI

Exploitation Attacker must hold an authenticated NiFi account with 'write' permission on at least one Process Group, and the target NiFi installation must be on the 1.12.0-2.8.x line with Restricted-component authorization policies actually configured (per the advisory, installations that do not implement Restricted-component authorization are not subject to this vulnerability because plain write permission is already the boundary). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 vector rates this 7.5 (PR:H, AT:P, network attack vector, full vulnerable-system C/I/A impact), which already accounts for two meaningful gating factors: an authenticated account with write permissions and a deployment that actually configures Restricted-component policies. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated NiFi user with write access to a Process Group - for example a dataflow developer in a multi-tenant cluster - crafts a replacement Process Group definition that includes a Restricted component such as ExecuteScript or a custom processor that interacts with the host file system. They submit it through the Process Group replace API, the framework skips the Restricted-annotation authorization check, and the new component runs as the NiFi service account, yielding command execution on the host. …
Remediation Vendor-released patch: upgrade to Apache NiFi 2.9.0, which removes the framework's Restricted-status authorization model and shifts the boundary to standard write permissions (see https://nifi.apache.org/ and the NIFI-15845 issue at https://issues.apache.org/jira/browse/NIFI-15845). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Apache NiFi deployments using versions 1.12.0-2.9.0 and document systems at risk. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Nifi

View all
CVE-2023-34468 HIGH POC
8.8 Jun 12

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authe

CVE-2017-5636 CRITICAL
9.8 Oct 19

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization

CVE-2018-1309 CRITICAL
9.8 May 23

Apache NiFi External XML Entity issue in SplitXML processor. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2023-36542 HIGH
8.8 Jul 29

Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retriev

CVE-2022-33140 HIGH
8.8 Jun 15

The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not ne

CVE-2019-12421 HIGH
8.8 Nov 19

When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiF

CVE-2021-20190 HIGH
8.1 Jan 19

A flaw was found in jackson-databind before 2.9.10.7. Rated high severity (CVSS 8.1), this vulnerability is remotely exp

CVE-2017-5635 HIGH
7.5 Oct 19

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to

CVE-2017-7667 HIGH
7.5 Jun 12

Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow frami

CVE-2023-22832 HIGH
7.5 Feb 10

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references

CVE-2022-29265 HIGH
7.5 Apr 30

Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configu

CVE-2020-9491 HIGH
7.5 Oct 01

In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connectio

Share

EUVD-2026-38219 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy