CVE-2026-54665
Received Received - Intake
Host Header Validation Bypass in Apache NiFi

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: Apache Software Foundation

Description
Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the standard Host header without validating the values provided. Apache NiFi 1.6.0 introduced a configurable application property to restrict values provided in the HTTP Host header, but did not apply the validation to alternative Proxy and Forwarded headers. The absence of proxy host header validation allowed a client to instruct Apache NiFi web services to construct invalid qualified URLs for redirection or data references. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which implements validation for the X-ProxyHost and X-Forwarded-Host HTTP request headers based on the nifi.web.proxy.host property. Enabling header validation requires configuring the application with HTTPS. Reverse proxy servers in front of Apache NiFi are responsible for filtering input request headers and providing allowed values to the application.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-54665
EUVD
EUVD-2026-38216
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
apache nifi From 0.0.1 (inc) to 2.9.0 (inc)
apache nifi 1.6.0
apache nifi 2.10.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Apache NiFi versions 0.0.1 through 2.9.0, where the software builds qualified URLs from several HTTP request headers that serve as alternatives to the standard Host header without properly validating their values.

Although Apache NiFi 1.6.0 introduced a configurable property to restrict values in the HTTP Host header, it did not apply similar validation to alternative headers such as Proxy and Forwarded headers.

Because of this lack of validation, a client can send crafted HTTP headers that cause Apache NiFi web services to construct invalid or malicious URLs for redirection or data references.

The recommended mitigation is to upgrade to Apache NiFi 2.10.0, which implements validation for the X-ProxyHost and X-Forwarded-Host headers based on the nifi.web.proxy.host property and requires HTTPS configuration.

Impact Analysis

This vulnerability can allow an attacker to manipulate the URLs constructed by Apache NiFi web services, potentially leading to redirection to malicious sites or incorrect data references.

Such manipulation could be exploited to conduct phishing attacks, redirect users to harmful content, or interfere with data integrity by referencing invalid or malicious URLs.

The impact includes potential loss of trust, data exposure, or disruption of service depending on how the URLs are used within the application or by its users.

Mitigation Strategies

The recommended mitigation is to upgrade Apache NiFi to version 2.10.0, which implements validation for the X-ProxyHost and X-Forwarded-Host HTTP request headers based on the nifi.web.proxy.host property.

Enabling header validation requires configuring the application to use HTTPS.

Additionally, reverse proxy servers in front of Apache NiFi should be configured to filter input request headers and provide only allowed values to the application.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54665. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart