Description
Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the standard Host header without validating the values provided. Apache NiFi 1.6.0 introduced a configurable application property to restrict values provided in the HTTP Host header, but did not apply the validation to alternative Proxy and Forwarded headers. The absence of proxy host header validation allowed a client to instruct Apache NiFi web services to construct invalid qualified URLs for redirection or data references. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which implements validation for the X-ProxyHost and X-Forwarded-Host HTTP request headers based on the nifi.web.proxy.host property. Enabling header validation requires configuring the application with HTTPS. Reverse proxy servers in front of Apache NiFi are responsible for filtering input request headers and providing allowed values to the application.
Published: 2026-06-22
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache NiFi versions 0.0.1 through 2.9.0 construct qualified URLs from several HTTP request headers that can act as alternatives to the standard Host header. The implementation did not validate the values supplied in these headers, including X-ProxyHost and X-Forwarded-Host. A client can therefore submit arbitrary header values that lead NiFi to build malformed or malicious URLs for redirection or data references. This flaw is a CWE‑346 weakness involving missing validation of critical input.

Affected Systems

The vulnerability applies to the Apache Software Foundation’s Apache NiFi product in all releases from 0.0.1 up to and including 2.9.0. Versions 1.6.0 introduced host‑header restrictions for the standard Host header but did not affect the alternative proxy or forwarded headers, so the issue remains in those releases. The problem is resolved in version 2.10.0 and later.

Risk and Exploitability

The CVSS score of 6.3 indicates medium severity. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a client that can reach the NiFi web service interface; the client can send crafted HTTP requests containing malicious proxy host headers to affect URL construction. No additional authentication or privileged conditions are described, so the risk applies to any reachable client.

Generated by OpenCVE AI on June 22, 2026 at 09:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache NiFi to version 2.10.0 or newer, which implements validation for the X-ProxyHost and X-Forwarded-Host headers based on the nifi.web.proxy.host property.
  • If an upgrade is not immediately possible, configure any reverse proxy in front of NiFi to remove or reject X-ProxyHost and X-Forwarded-Host headers before forwarding requests to the NiFi instance.
  • Enable HTTPS termination and configure the application to use the nifi.web.proxy.host property to restrict acceptable host values, whenever the application supports this setting in the newer release.

Generated by OpenCVE AI on June 22, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache nifi
Vendors & Products Apache
Apache nifi

Mon, 22 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the standard Host header without validating the values provided. Apache NiFi 1.6.0 introduced a configurable application property to restrict values provided in the HTTP Host header, but did not apply the validation to alternative Proxy and Forwarded headers. The absence of proxy host header validation allowed a client to instruct Apache NiFi web services to construct invalid qualified URLs for redirection or data references. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which implements validation for the X-ProxyHost and X-Forwarded-Host HTTP request headers based on the nifi.web.proxy.host property. Enabling header validation requires configuring the application with HTTPS. Reverse proxy servers in front of Apache NiFi are responsible for filtering input request headers and providing allowed values to the application.
Title Apache NiFi: Missing Validation for Proxy Host Headers
Weaknesses CWE-346
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/S:N/AU:Y/R:A/V:D/RE:L/U:Green'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-22T16:09:50.834Z

Reserved: 2026-06-15T20:22:59.629Z

Link: CVE-2026-54665

cve-icon Vulnrichment

Updated: 2026-06-22T08:02:18.320Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T11:00:05Z

Weaknesses