Description
Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required to add the annotated component to the flow configuration, but framework authorization did not check restricted status when updating a component previously added. The missing authorization requires a more privileged user to add a restricted component to the flow configuration, but permits a less privileged user to make property configuration changes. Apache NiFi installations that do not implement different levels of authorization for Restricted components are not subject to this vulnerability because the framework enforces write permissions as the security boundary. Upgrading to Apache NiFi 2.8.0 is the recommended mitigation.
Published: 2026-02-17
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The flaw is a missing authorization check when updating configuration properties on components that carry a Restricted annotation. Attackers with a lower privilege level, once a restricted component exists in the flow, can change those properties without the higher privileges required to add the component. This can allow the attacker to alter behavior, inject malicious logic, or bypass security controls, effectively raising their privilege level. The weakness is identified as CWE‑862.

Affected Systems

Apache NiFi versions 1.1.0 through 2.7.2, inclusive, are affected. These installations belong to the Apache Software Foundation’s NiFi product line. Versions prior to 2.8.0 do not contain the fix; therefore, any deployment using those versions must be upgraded. Installations that do not employ restricted components or enforce write‑level security boundaries are not affected.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, but the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in the KEV catalog. Exploitation requires an attacker to already have the ability to create or modify components in the NiFi flow, typically via the UI or REST API. Once a restricted component exists, the system incorrectly accepts property updates because it does not re‑check the Restricted annotation, providing a path to privilege escalation without compromising the underlying host.

Generated by OpenCVE AI on April 17, 2026 at 18:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache NiFi to version 2.8.0 or later.
  • Re‑evaluate all existing restricted components and ensure that only privileged users can modify them by adjusting the component‑level authorization settings.
  • If an immediate upgrade is not possible, restrict API access to the endpoints used for component updates so that low‑privilege users cannot issue property changes.

Generated by OpenCVE AI on April 17, 2026 at 18:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c5w7-m8wf-xc77 Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates
History

Mon, 30 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache nifi
Vendors & Products Apache
Apache nifi

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 11:30:00 +0000

Type Values Removed Values Added
References

Tue, 17 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
Description Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required to add the annotated component to the flow configuration, but framework authorization did not check restricted status when updating a component previously added. The missing authorization requires a more privileged user to add a restricted component to the flow configuration, but permits a less privileged user to make property configuration changes. Apache NiFi installations that do not implement different levels of authorization for Restricted components are not subject to this vulnerability because the framework enforces write permissions as the security boundary. Upgrading to Apache NiFi 2.8.0 is the recommended mitigation.
Title Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:Y/R:I/V:C/RE:M/U:Amber'}

Subscriptions

Apache Nifi
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-02-17T14:29:12.153Z

Reserved: 2026-02-08T03:08:28.476Z

Link: CVE-2026-25903

cve-icon Vulnrichment

Updated: 2026-02-17T10:19:57.362Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-17T10:15:57.950

Modified: 2026-03-30T15:20:58.423

Link: CVE-2026-25903

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:00:11Z

Weaknesses