Description
The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy Script execution in the service prior to submitting the query. The missing Restricted annotation allows users without the Execute Code Permission to configure the Service in installations that use fine-grained authorization and have the optional TinkerpopClientService installed. Apache NiFi installations that do not have the nifi-other-graph-services-nar installed are not subject to this vulnerability. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation.
Published: 2026-05-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from the optional TinkerpopClientService component lacking a Restricted annotation that would enforce the Execute Code permission. Consequently, users without explicit code‑execution rights can create or modify this service, specify Groovy script bytecode, and have the NiFi process execute arbitrary code. The result is an elevation of privilege that can lead to full system compromise, data exfiltration, or further lateral movement within the environment.

Affected Systems

This issue affects Apache NiFi versions from 2.0.0‑M1 up to 2.8.0 when the optional nifi‑other‑graph‑services‑nar component is installed. Installations that do not include this component are not impacted.

Risk and Exploitability

With a CVSS score of 7.5, the vulnerability is considered high severity. EPSS is not available, and the weakness is not listed in CISA’s KEV catalog. The likely attack vector involves an attacker who can access NiFi’s configuration interface or controller service API, exploiting the missing permission check to reconfigure the TinkerpopClientService and execute Groovy scripts under the NiFi process context.

Generated by OpenCVE AI on May 8, 2026 at 17:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache NiFi to version 2.9.0 or later, which adds the missing Restricted annotation to TinkerpopClientService.
  • If an upgrade is not immediately possible, uninstall or disable the optional nifi‑other‑graph‑services‑nar component to prevent configuration of TinkerpopClientService.
  • Restrict access to NiFi’s configuration and controller service APIs to privileged administrators only, ensuring that users without Execute Code permission cannot modify controller services.

Generated by OpenCVE AI on May 8, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 02:30:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 08 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache nifi
Vendors & Products Apache
Apache nifi

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 14:30:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy Script execution in the service prior to submitting the query. The missing Restricted annotation allows users without the Execute Code Permission to configure the Service in installations that use fine-grained authorization and have the optional TinkerpopClientService installed. Apache NiFi installations that do not have the nifi-other-graph-services-nar installed are not subject to this vulnerability. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation.
Title Apache NiFi: Missing Execute Code Required Permission on TinkerpopClientService
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/AU:Y/R:I/V:C/RE:L/U:Green'}

Subscriptions

Apache Nifi
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-09T01:12:19.254Z

Reserved: 2026-04-07T16:21:21.196Z

Link: CVE-2026-39816

cve-icon Vulnrichment

Updated: 2026-05-09T01:12:19.254Z

cve-icon NVD

Status : Modified

Published: 2026-05-08T14:16:32.667

Modified: 2026-05-09T02:16:07.763

Link: CVE-2026-39816

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T17:45:12Z

Weaknesses