Apache NiFi implements a verification endpoint that allows users to submit temporary configuration proposals and obtain feedback from predefined verification methods. In versions 1.15.0 through 2.9.0 the authorization mechanism does not distinguish between users who can view component settings and those who can modify them. Consequently, a caller with only read permissions can override the current configuration in the verification request, forcing the system to evaluate the proposed properties. This flaw does not alter the real configuration or grant elevated privileges, but it enables an attacker to gain insight into how the system validates configuration values, potentially leaking sensitive verification logic or behavior.

Apache NiFi deployments built with the Apache Software Foundation’s NiFi 1.15.0 up to 2.9.0 are vulnerable. Installations that already employ separate authorization levels for viewing versus modifying component configuration are not affected. The confirmed mitigation is to upgrade to NiFi 2.10.0 or later, which requires users to have write access before they can submit configuration verification requests.

The vulnerability carries a CVSS score of 2.3 and is not currently listed in the CISA KEV database. Because the exploit surface only requires a user to have read access, it can be performed remotely over the standard NiFi API if the user can authenticate. However, the lack of write privileges limits the practical impact and the EPSS score is not available, indicating a low likelihood of exploitation. Attackers would need to target a NiFi cluster that exposes the verification endpoint to authenticated read‑only clients to obtain any benefit.