CVE-2026-44911
Received Received - Intake
Authorization Bypass in Apache NiFi Configuration Verification

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: Apache Software Foundation

Description
Authorization handling for component configuration verification requests in Apache NiFi 1.15.0 through 2.9.0 allows clients with read access to submit proposed configuration properties. The proposed properties override current configuration, enabling users with read access to invoke predefined verification methods with alternative settings. Apache NiFi installations that do not implement different levels of authorization for viewing and modifying component configuration are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, requiring write access to submit configuration verification requests.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-44911
EUVD
EUVD-2026-38218
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
apache nifi 1.15.0
apache nifi 2.9.0
apache nifi From 2.10.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Apache NiFi versions 1.15.0 through 2.9.0 involves improper authorization handling for component configuration verification requests. Specifically, clients who only have read access can submit proposed configuration properties that override the current configuration. This allows users with read access to invoke predefined verification methods using alternative settings, which they should not be able to do.

The issue arises because the system does not differentiate between viewing and modifying component configurations in terms of authorization. Apache NiFi installations that implement different authorization levels for viewing and modifying configurations are not affected.

Upgrading to Apache NiFi version 2.10.0 mitigates this vulnerability by requiring write access to submit configuration verification requests.

Impact Analysis

This vulnerability can impact you by allowing users with only read access to effectively modify or influence component configurations through verification requests. This could lead to unauthorized changes in system behavior or bypassing intended access controls.

If your Apache NiFi installation does not enforce different authorization levels for viewing and modifying configurations, this vulnerability could be exploited to alter system settings indirectly, potentially affecting system stability, security, or data processing workflows.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade Apache NiFi to version 2.10.0 or later.

This upgrade enforces that submitting configuration verification requests requires write access, preventing users with only read access from exploiting the vulnerability.

Additionally, ensure that your Apache NiFi installation implements different levels of authorization for viewing and modifying component configuration, as installations without such authorization separation are not subject to this vulnerability.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44911. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart