CVE-2026-39816
Privilege Escalation in Apache NiFi TinkerpopClientService
Publication date: 2026-05-08
Last updated on: 2026-05-09
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | nifi | From 2.0.0 (inc) to 2.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39816 is a high-severity vulnerability in Apache NiFi versions 2.0.0-M1 through 2.8.0 affecting the optional TinkerpopClientService component.
The vulnerability arises because the TinkerpopClientService is missing the required Restricted annotation that enforces the Execute Code permission.
This missing annotation allows users who do not have the Execute Code permission to configure the service and submit Groovy scripts for execution via ByteCode or Script Submission.
This means unauthorized users can potentially execute arbitrary code within the affected Apache NiFi installations that have fine-grained authorization enabled and the nifi-other-graph-services-nar extension installed.
Upgrading to Apache NiFi version 2.9.0 or later mitigates this vulnerability.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to execute arbitrary Groovy scripts within Apache NiFi installations that have fine-grained authorization enabled and the optional TinkerpopClientService installed.
Such unauthorized code execution can lead to compromise of the system, unauthorized access to data, disruption of services, or other malicious activities.
The impact is significant because it bypasses intended permission restrictions, potentially allowing attackers to escalate privileges or manipulate workflows.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying if your Apache NiFi installation includes the optional TinkerpopClientService component, specifically the nifi-other-graph-services-nar extension, and if fine-grained authorization is enabled.
You can check the installed NiFi version and the presence of the nifi-other-graph-services-nar extension by inspecting the NiFi installation directory or using NiFi's API or CLI tools.
Since the vulnerability relates to missing permission annotations allowing unauthorized configuration of the TinkerpopClientService, you can audit user permissions and configurations related to this service.
Specific commands are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to upgrade Apache NiFi to version 2.9.0 or later, where this vulnerability is resolved.
If upgrading is not immediately possible, ensure that the nifi-other-graph-services-nar extension is not installed or disable the TinkerpopClientService component to prevent exploitation.
Additionally, review and tighten fine-grained authorization settings to restrict access to users with Execute Code permissions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how CVE-2026-39816 affects compliance with common standards and regulations such as GDPR or HIPAA.