CVE-2026-54665
Analyzed Analyzed - Analysis Complete

Host Header Validation Bypass in Apache NiFi

Vulnerability report for CVE-2026-54665, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-23

Assigner: Apache Software Foundation

Description

Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the standard Host header without validating the values provided. Apache NiFi 1.6.0 introduced a configurable application property to restrict values provided in the HTTP Host header, but did not apply the validation to alternative Proxy and Forwarded headers. The absence of proxy host header validation allowed a client to instruct Apache NiFi web services to construct invalid qualified URLs for redirection or data references. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which implements validation for the X-ProxyHost and X-Forwarded-Host HTTP request headers based on the nifi.web.proxy.host property. Enabling header validation requires configuring the application with HTTPS. Reverse proxy servers in front of Apache NiFi are responsible for filtering input request headers and providing allowed values to the application.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-23
Generated
2026-07-12
AI Q&A
2026-06-22
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apache nifi From 0.0.1 (inc) to 2.10.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify how CVE-2026-54665 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in Apache NiFi versions 0.0.1 through 2.9.0, where the software builds qualified URLs from several HTTP request headers that serve as alternatives to the standard Host header without properly validating their values.

Although Apache NiFi 1.6.0 introduced a configurable property to restrict values in the HTTP Host header, it did not apply similar validation to alternative headers such as Proxy and Forwarded headers.

Because of this lack of validation, a client can send crafted HTTP headers that cause Apache NiFi web services to construct invalid or malicious URLs for redirection or data references.

The recommended mitigation is to upgrade to Apache NiFi 2.10.0, which implements validation for the X-ProxyHost and X-Forwarded-Host headers based on the nifi.web.proxy.host property and requires HTTPS configuration.

Impact Analysis

This vulnerability can allow an attacker to manipulate the URLs constructed by Apache NiFi web services, potentially leading to redirection to malicious sites or incorrect data references.

Such manipulation could be exploited to conduct phishing attacks, redirect users to harmful content, or interfere with data integrity by referencing invalid or malicious URLs.

The impact includes potential loss of trust, data exposure, or disruption of service depending on how the URLs are used within the application or by its users.

Mitigation Strategies

The recommended mitigation is to upgrade Apache NiFi to version 2.10.0, which implements validation for the X-ProxyHost and X-Forwarded-Host HTTP request headers based on the nifi.web.proxy.host property.

Enabling header validation requires configuring the application to use HTTPS.

Additionally, reverse proxy servers in front of Apache NiFi should be configured to filter input request headers and provide only allowed values to the application.

Detection Guidance

This vulnerability involves Apache NiFi accepting and using unvalidated HTTP headers such as X-ProxyHost and X-Forwarded-Host to construct URLs. To detect if your system is vulnerable, you can monitor HTTP requests to your NiFi instance and check if these headers are present and whether NiFi is processing them without validation.

One approach is to capture HTTP traffic to the NiFi server and inspect the headers for X-ProxyHost or X-Forwarded-Host. You can use tools like curl or tcpdump to send or capture requests with these headers.

  • Use curl to send a request with the X-ProxyHost header and observe the response or redirection behavior: curl -v -H "X-ProxyHost: malicious.example.com" http://<nifi-server>/
  • Use curl to send a request with the X-Forwarded-Host header: curl -v -H "X-Forwarded-Host: malicious.example.com" http://<nifi-server>/
  • Capture network traffic with tcpdump or Wireshark filtering for HTTP headers containing X-ProxyHost or X-Forwarded-Host to see if such headers are being accepted and processed.

If NiFi responds or redirects using the values from these headers without validation, it indicates the vulnerability is present. The recommended mitigation is to upgrade to NiFi 2.10.0 or ensure reverse proxies filter these headers.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54665. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart