CVE-2026-44914
Analyzed Analyzed - Analysis Complete

Missing Authorization in Apache NiFi Process Group Replacement

Vulnerability report for CVE-2026-44914, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-24

Assigner: Apache Software Foundation

Description

Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required, but framework authorization did not check restricted status when handling requests to replace Process Groups. The missing authorization permits a user with general write access to add components with Restricted status. Apache NiFi installations that do not implement specific authorization for Restricted components are not subject to this vulnerability because the framework enforces write permissions as the security boundary. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation, which removes the implementation of Restricted status authorization from the framework.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-24
Generated
2026-07-12
AI Q&A
2026-06-22
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apache nifi From 1.12.0 (inc) to 2.10.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Apache NiFi versions 1.12.0 through 2.9.0 and involves missing authorization checks when replacing Process Groups that contain extension components marked with a Restricted annotation.

The Restricted annotation signals that additional privileges are required to handle these components, but the framework did not properly verify these privileges during the replacement process.

As a result, a user with general write access could add components that should require higher privileges, bypassing intended security controls.

Impact Analysis

The impact of this vulnerability is that users with only general write permissions can introduce components that require higher privileges, potentially leading to unauthorized actions or escalation of privileges within Apache NiFi.

This could compromise the security boundary intended by the Restricted annotation, allowing unauthorized access or control over sensitive components.

Mitigation Strategies

The recommended mitigation is to upgrade Apache NiFi to version 2.9.0, which removes the implementation of Restricted status authorization from the framework.

Additionally, ensure that your Apache NiFi installation implements specific authorization for Restricted components, as installations without such authorization are not subject to this vulnerability.

Compliance Impact

The vulnerability allows users with general write access to add components with Restricted status without proper authorization checks. This missing authorization could potentially lead to unauthorized access or modification of sensitive data or processes.

Since standards like GDPR and HIPAA require strict access controls and authorization mechanisms to protect sensitive data, this vulnerability may impact compliance by weakening the enforcement of such controls within affected Apache NiFi versions.

However, Apache NiFi installations that implement specific authorization for Restricted components are not affected, and upgrading to version 2.9.0, which removes the problematic authorization implementation, is recommended to mitigate the risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44914. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart