(nifi-site) branch main updated: NIFI-15567 Published CVE-2026-25903

Mon, 16 Feb 2026 09:08:58 -0800 

This is an automated email from the ASF dual-hosted git repository.

exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi-site.git


The following commit(s) were added to refs/heads/main by this push:
     new 99292db8 NIFI-15567 Published CVE-2026-25903
99292db8 is described below

commit 99292db86e18baf5e394f687b756d37e7624ed6f
Author: exceptionfactory <[email protected]>
AuthorDate: Mon Feb 16 11:07:08 2026 -0600

    NIFI-15567 Published CVE-2026-25903
---
 content/documentation/security.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/content/documentation/security.md 
b/content/documentation/security.md
index 9ea2c2fd..517cd234 100644
--- a/content/documentation/security.md
+++ b/content/documentation/security.md
@@ -66,6 +66,29 @@ Severity ratings represent the determination of project 
members based on an eval
 
 The following announcements include published vulnerabilities that apply 
directly to Apache NiFi components.
 
+{{< vulnerability
+id="CVE-2026-25903"
+title="Deserialization of Untrusted Data in GetAsanaObject Processor"
+published="2026-02-16"
+severity="High"
+products="Apache NiFi"
+affectedVersions="1.1.0 to 2.7.2"
+fixedVersion="2.8.0"
+jira="NIFI-15567"
+pullRequest="10871"
+reporter="David Handermann" >}}
+
+Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating 
configuration properties on extension components
+that have specific Required Permissions based on the Restricted annotation. 
The Restricted annotation indicates
+additional privileges required to add the annotated component to the flow 
configuration, but framework authorization did
+not check restricted status when updating a component previously added. The 
missing authorization requires a more
+privileged user to add a restricted component to the flow configuration, but 
permits a less privileged user to make
+property configuration changes. Apache NiFi installations that do not 
implement different levels of authorization for
+Restricted components are not subject to this vulnerability because the 
framework enforces write permissions as the
+security boundary. Upgrading to Apache NiFi 2.8.0 is the recommended 
mitigation.
+
+{{</ vulnerability >}}
+
 {{< vulnerability
 id="CVE-2025-66524"
 title="Deserialization of Untrusted Data in GetAsanaObject Processor"

Reply via email to