CVE-2026-44914
Received Received - Intake
Missing Authorization in Apache NiFi Process Group Replacement

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: Apache Software Foundation

Description
Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required, but framework authorization did not check restricted status when handling requests to replace Process Groups. The missing authorization permits a user with general write access to add components with Restricted status. Apache NiFi installations that do not implement specific authorization for Restricted components are not subject to this vulnerability because the framework enforces write permissions as the security boundary. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation, which removes the implementation of Restricted status authorization from the framework.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-44914
EUVD
EUVD-2026-38219
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache nifi From 1.12.0 (inc) to 2.9.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Apache NiFi versions 1.12.0 through 2.9.0 and involves missing authorization checks when replacing Process Groups that contain extension components marked with a Restricted annotation.

The Restricted annotation signals that additional privileges are required to handle these components, but the framework did not properly verify these privileges during the replacement process.

As a result, a user with general write access could add components that should require higher privileges, bypassing intended security controls.

Impact Analysis

The impact of this vulnerability is that users with only general write permissions can introduce components that require higher privileges, potentially leading to unauthorized actions or escalation of privileges within Apache NiFi.

This could compromise the security boundary intended by the Restricted annotation, allowing unauthorized access or control over sensitive components.

Mitigation Strategies

The recommended mitigation is to upgrade Apache NiFi to version 2.9.0, which removes the implementation of Restricted status authorization from the framework.

Additionally, ensure that your Apache NiFi installation implements specific authorization for Restricted components, as installations without such authorization are not subject to this vulnerability.

Compliance Impact

The vulnerability allows users with general write access to add components with Restricted status without proper authorization checks. This missing authorization could potentially lead to unauthorized access or modification of sensitive data or processes.

Since standards like GDPR and HIPAA require strict access controls and authorization mechanisms to protect sensitive data, this vulnerability may impact compliance by weakening the enforcement of such controls within affected Apache NiFi versions.

However, Apache NiFi installations that implement specific authorization for Restricted components are not affected, and upgrading to version 2.9.0, which removes the problematic authorization implementation, is recommended to mitigate the risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44914. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart