CVE-2026-44914

HIGH EPSS 31.2%

Published Jun 22, 20261w ago · Modified Jun 24, 20265d ago

7.5 CVSS 4.0

High

Published Jun 22, 2026 1w ago

Last Modified Jun 24, 2026 5d ago

Description

Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required, but framework authorization did not check restricted status when handling requests to replace Process Groups. The missing authorization permits a user with general write access to add components with Restricted status. Apache NiFi installations that do not implement specific authorization for Restricted components are not subject to this vulnerability because the framework enforces write permissions as the security boundary. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation, which removes the implementation of Restricted status authorization from the framework.

CVSS Details

Base Score

7.5

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:L/U:Clear

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction None

Scope P

Threat Intelligence

EPSS Exploit Probability

31.2% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-862 Missing Authorization Authorization

Affected Products 1

Vendor	Product	Version	Range
apache	nifi	*	≥1.12.0 – <2.10.0

References 2

openwall.com http://www.openwall.com/lists/oss-security/2026/06/20/6

Mailing ListThird Party Advisory
lists.apache.org https://lists.apache.org/thread/ydr34t03xd1n0t9oogpzogjrd5y93838

Mailing ListVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.