CVE-2026-25903

Name of the Vulnerable Software and Affected Versions Apache NiFi versions 1.1.0 through 2.7.2

Description Apache NiFi installations are affected by a missing authorization check when updating configuration properties on extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges needed to add a component to the flow configuration, but the framework did not verify the restricted status during updates to previously added components. This allows a user with lower privileges to modify the configuration of restricted components, potentially compromising dataflow logic or triggering unsafe actions. Installations that do not implement different authorization levels for Restricted components are not affected, as the framework relies on write permissions as a security boundary.

Recommendations Upgrade to Apache NiFi version 2.8.0 to address this issue.