Apache NiFi: Incorrect Authorization for Configuration Verification Requests
Summary
| CVE | CVE-2026-44911 |
|---|---|
| State | PUBLISHED |
| Assigner | apache |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-22 08:17:05 UTC |
| Updated | 2026-06-22 16:40:18 UTC |
| Description | Authorization handling for component configuration verification requests in Apache NiFi 1.15.0 through 2.9.0 allows clients with read access to submit proposed configuration properties. The proposed properties override current configuration, enabling users with read access to invoke predefined verification methods with alternative settings. Apache NiFi installations that do not implement different levels of authorization for viewing and modifying component configuration are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, requiring write access to submit configuration verification requests. |
Risk And Classification
Primary CVSS: v4.0 2.3 LOW from [email protected]
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:L/U:Amber
Problem Types: CWE-863 | CWE-863 CWE-863 Incorrect Authorization
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 2.3 | LOW | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/C... |
| 4.0 | CNA | CVSS | 2.3 | LOW | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/AU:Y/... |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
PresentPrivileges Required
LowUser Interaction
NoneConfidentiality
LowIntegrity
LowAvailability
LowSub Conf.
LowSub Integrity
LowSub Availability
LowCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:L/U:Amber
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Apache Software Foundation | Apache NiFi | affected 1.15.0 2.9.0 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.openwall.com/lists/oss-security/2026/06/20/4 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| lists.apache.org/thread/wrj3t4k2bwd2cztyp078f5kj3722qfzy | [email protected] | lists.apache.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Kaixuan Li from Nanyang Technological University (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-04-21T11:00:00.000Z | reported |
There are currently no legacy QID mappings associated with this CVE.