PT-2026-51195 · Apache · Apache Nifi
Jose Rivas
·
Published
2026-06-20
·
Updated
2026-06-22
·
CVE-2026-54665
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:D/RE:L/U:Green |
Name of the Vulnerable Software and Affected Versions
Apache NiFi versions 0.0.1 through 2.9.0
Description
Apache NiFi allows the construction of qualified URLs using several HTTP request headers that serve as alternatives to the standard Host header without validating the provided values. While a configurable application property was introduced in version 1.6.0 to restrict the HTTP Host header, this validation was not applied to Proxy and Forwarded headers. This lack of validation enables a client to force web services to create invalid qualified URLs for data references or redirection. The issue specifically involves the
X-ProxyHost and X-Forwarded-Host headers.Recommendations
Update to version 2.10.0.
Configure the application with HTTPS to enable header validation via the
nifi.web.proxy.host property.
Ensure reverse proxy servers filter input request headers to provide only allowed values to the application.Fix
Origin Validation Error
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Nifi