CVE-2026-44914
- EPSS 0.29%
- Veröffentlicht 22.06.2026 07:38:01
- Zuletzt bearbeitet 24.06.2026 05:17:28
Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privilege...
CVE-2026-44911
- EPSS 0.26%
- Veröffentlicht 22.06.2026 07:37:10
- Zuletzt bearbeitet 23.06.2026 19:55:10
Authorization handling for component configuration verification requests in Apache NiFi 1.15.0 through 2.9.0 allows clients with read access to submit proposed configuration properties. The proposed properties override current configuration, enabling...
CVE-2026-44913
- EPSS 0.26%
- Veröffentlicht 22.06.2026 07:36:40
- Zuletzt bearbeitet 23.06.2026 19:53:00
Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope...
CVE-2026-54665
- EPSS 0.19%
- Veröffentlicht 22.06.2026 07:34:13
- Zuletzt bearbeitet 23.06.2026 19:19:18
Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the standard Host header without validating the values provided. Apache NiFi 1.6.0 introduced a configurable appli...
CVE-2026-39816
- EPSS 0.76%
- Veröffentlicht 08.05.2026 13:38:12
- Zuletzt bearbeitet 09.05.2026 02:16:07
The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for...
CVE-2026-25903
- EPSS 0.75%
- Veröffentlicht 17.02.2026 10:15:57
- Zuletzt bearbeitet 30.03.2026 15:20:58
Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privil...
CVE-2025-66524
- EPSS 0.44%
- Veröffentlicht 19.12.2025 09:24:40
- Zuletzt bearbeitet 08.01.2026 14:52:47
Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Obj...
CVE-2025-27017
- EPSS 1.14%
- Veröffentlicht 12.03.2025 16:19:45
- Zuletzt bearbeitet 16.07.2025 14:45:49
Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of th...
CVE-2024-56512
- EPSS 3.1%
- Veröffentlicht 28.12.2024 17:15:07
- Zuletzt bearbeitet 11.02.2025 16:10:28
Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include b...
CVE-2024-52067
- EPSS 0.74%
- Veröffentlicht 21.11.2024 11:15:35
- Zuletzt bearbeitet 11.02.2025 16:26:42
Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Parameter Context values during the flow synchronization process. An authorized administrator with access to change logging levels could enable debug lo...