CVE-2026-25903
Received Received - Intake
Missing Authorization in Apache NiFi Allows Unauthorized Configuration Changes

Publication date: 2026-02-17

Last updated on: 2026-02-17

Assigner: Apache Software Foundation

Description
Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required to add the annotated component to the flow configuration, but framework authorization did not check restricted status when updating a component previously added. The missing authorization requires a more privileged user to add a restricted component to the flow configuration, but permits a less privileged user to make property configuration changes. Apache NiFi installations that do not implement different levels of authorization for Restricted components are not subject to this vulnerability because the framework enforces write permissions as the security boundary. Upgrading to Apache NiFi 2.8.0 is the recommended mitigation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Affected Vendors & Products
Vendor Product Version
apache nifi From 1.1.0 (inc) to 2.7.2 (inc)
apache nifi 2.8.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Apache NiFi versions 1.1.0 through 2.7.2 and involves missing authorization checks when updating configuration properties on extension components that have specific Required Permissions indicated by the Restricted annotation.

The Restricted annotation signals that additional privileges are needed to add the annotated component to the flow configuration. However, while adding such components requires a more privileged user, the framework did not enforce authorization checks when a less privileged user attempts to update the properties of a component that was already added.

As a result, less privileged users can make configuration changes to restricted components without proper authorization, potentially bypassing intended security controls.

This issue does not affect Apache NiFi installations that implement different levels of authorization for Restricted components, as the framework enforces write permissions as the security boundary in those cases.

Upgrading to Apache NiFi version 2.8.0 is the recommended mitigation.


How can this vulnerability impact me? :

This vulnerability can allow less privileged users to modify configuration properties of restricted components without proper authorization.

Such unauthorized changes could lead to misconfiguration, potential escalation of privileges, or unintended behavior in the data flow, which may compromise the security and integrity of the system.

If an attacker or unauthorized user exploits this vulnerability, they might alter critical settings that could affect data processing, access controls, or system stability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The recommended mitigation is to upgrade Apache NiFi to version 2.8.0 or later.

Additionally, ensure that your Apache NiFi installation implements different levels of authorization for Restricted components, as installations that do so are not subject to this vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart
Meta Information
CVE Publication Date:
2026-02-17
CVE Last Modified Date:
2026-02-17
Report Generation Date:
2026-02-17
AI Powered Q&A Generation:
2026-02-17
EPSS Last Evaluated Date:
N/A
NVD Report Link: