PT-2026-51284 · Apache · Apache Nifi
Published
2026-06-22
·
Updated
2026-06-22
·
CVE-2026-44914
CVSS v4.0
7.5
High
| Vector | AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:L/U:Clear |
Name of the Vulnerable Software and Affected Versions
Apache NiFi versions 1.12.0 through 2.9.0
Description
Authorization is missing when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates that additional privileges are required, but the framework failed to check this status when handling requests to replace Process Groups. This allows a user with general write access to add components that have Restricted status. Installations that do not implement specific authorization for Restricted components are not affected, as the framework enforces write permissions as the security boundary.
Recommendations
Update to version 2.10.0.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Nifi