(nifi-site) branch main updated: NIFI-15800 Published CVE-2026-39816

Mon, 13 Apr 2026 07:45:18 -0700 

This is an automated email from the ASF dual-hosted git repository.

exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi-site.git


The following commit(s) were added to refs/heads/main by this push:
     new 3e0a7104 NIFI-15800 Published CVE-2026-39816
3e0a7104 is described below

commit 3e0a71041bc7e60ae0ab4be8461ba80526de6a06
Author: exceptionfactory <[email protected]>
AuthorDate: Mon Apr 13 09:44:54 2026 -0500

    NIFI-15800 Published CVE-2026-39816
---
 content/documentation/security.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/content/documentation/security.md 
b/content/documentation/security.md
index bf7c371f..003c9b03 100644
--- a/content/documentation/security.md
+++ b/content/documentation/security.md
@@ -71,6 +71,25 @@ Severity ratings represent the determination of project 
members based on an eval
 
 The following announcements include published vulnerabilities that apply 
directly to Apache NiFi components.
 
+{{< vulnerability
+id="CVE-2026-39816"
+title="Missing Execute Code Required Permission on TinkerpopClientService"
+published="2026-04-13"
+severity="High"
+products="Apache NiFi"
+affectedVersions="2.0.0-M1 to 2.8.0"
+fixedVersion="2.9.0"
+jira="NIFI-15800"
+pullRequest="11108"
+reporter="John Walker from ZeroPath" >}}
+
+The optional extension component TinkerpopClientService is missing the 
Restricted annotation with the Execute Code Required Permission in Apache NiFi 
2.0.0-M1 through 2.8.0. The TinkerpopClientService
+supports configuration of ByteCode Submission for the Script Submission Type, 
enabling Groovy Script execution in the service prior to submitting the query. 
The missing Restricted annotation allows
+users without the Execute Code Permission to configure the Service in 
installations that use fine-grained authorization and have the optional 
TinkerpopClientService installed. Apache NiFi
+installations that do not have the nifi-other-graph-services-nar installed are 
not subject to this vulnerability. Upgrading to Apache NiFi 2.9.0 is the 
recommended mitigation.
+
+{{</ vulnerability >}}
+
 {{< vulnerability
 id="CVE-2026-25903"
 title="Missing Authorization of Restricted Permissions for Component Updates"

Reply via email to