Description
Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required, but framework authorization did not check restricted status when handling requests to replace Process Groups. The missing authorization permits a user with general write access to add components with Restricted status. Apache NiFi installations that do not implement specific authorization for Restricted components are not subject to this vulnerability because the framework enforces write permissions as the security boundary. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation, which removes the implementation of Restricted status authorization from the framework.
Published: 2026-06-22
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the NiFi framework fails to enforce the Restricted annotation during process group replacement. A user granted general write access can replace a process group that contains components requiring restricted rights and thus add those components without the necessary authorization. This creates an elevation of privilege path that can allow the attacker to deploy components with elevated capabilities or sensitive configurations without being subject to the normal restricted permission checks.

Affected Systems

Apache NiFi versions 1.12.0 through 2.9.0 are affected. The issue exists in the default installation of NiFi from the Apache Software Foundation. Systems that have applied tighter write permissions or that have custom authorization may not be vulnerable, but the vulnerability remains in the core framework until the latest version.

Risk and Exploitability

The CVSS base score is 7.5, indicating a high severity. EPSS information is not available and the vulnerability is not yet in the CISA KEV catalog. Exploitation requires the attacker to possess write privileges on the NiFi instance; there is no known remote execution vector independent of that. The risk is therefore limited to users who already have write access, but the impact of adding restricted components can be significant, especially if those components expose additional hooks or data. The lack of formal authorization checks means any write‑capable user can elevate their privileges within the flow, making the vulnerability a serious concern for environments that rely on the Restricted annotation to enforce sensitive component boundaries.

Generated by OpenCVE AI on June 22, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache NiFi 2.9.0 or later, which removes the restricted status check within the framework.
  • Restrict write permissions to only trusted users and monitor the replace process group API calls for suspicious activity if an upgrade cannot be performed immediately.
  • Review and enforce ACLs to ensure that only necessary users have write access; consider adding custom authorization checks for components marked as Restricted until the framework update is applied.

Generated by OpenCVE AI on June 22, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required, but framework authorization did not check restricted status when handling requests to replace Process Groups. The missing authorization permits a user with general write access to add components with Restricted status. Apache NiFi installations that do not implement specific authorization for Restricted components are not subject to this vulnerability because the framework enforces write permissions as the security boundary. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation, which removes the implementation of Restricted status authorization from the framework.
Title Apache NiFi: Missing Authorization of Restricted Permissions when Replacing Flow Contents
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/S:P/AU:Y/R:U/V:C/RE:L/U:Clear'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-22T08:02:04.666Z

Reserved: 2026-05-08T04:30:00.505Z

Link: CVE-2026-44914

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T09:30:16Z

Weaknesses