This is an automated email from the ASF dual-hosted git repository.

exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi-site.git

commit d700ee3b6a3dd2e2a71d529105810a9fbddccc86
Author: exceptionfactory <[email protected]>
AuthorDate: Sat Jun 20 11:48:49 2026 -0500

    NIFI-15953 Published CVE-2026-54665
---
 content/documentation/security.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/content/documentation/security.md 
b/content/documentation/security.md
index 56abbf08..8055d64b 100644
--- a/content/documentation/security.md
+++ b/content/documentation/security.md
@@ -71,6 +71,30 @@ Severity ratings represent the determination of project 
members based on an eval
 
 The following announcements include published vulnerabilities that apply 
directly to Apache NiFi components.
 
+{{< vulnerability
+id="CVE-2026-54665"
+title="Missing Validation for Proxy Host Headers"
+published="2026-06-20"
+severity="Medium"
+products="Apache NiFi"
+affectedVersions="0.0.1 to 2.9.0"
+fixedVersion="2.10.0"
+jira="NIFI-15953"
+pullRequest="11268"
+reporter="Jose Rivas" >}}
+
+Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of 
several HTTP request headers that provide an
+alternative to the standard Host header without validating the values 
provided. Apache NiFi 1.6.0 introduced a
+configurable application property to restrict values provided in the HTTP Host 
header, but did not apply the validation
+to alternative Proxy and Forwarded headers. The absence of proxy host header 
validation allowed a client to instruct
+Apache NiFi web services to construct invalid qualified URLs for redirection 
or data references. Upgrading to Apache
+NiFi 2.10.0 is the recommended mitigation, which implements validation for the 
X-ProxyHost and X-Forwarded-Host HTTP
+request headers based on the nifi.web.proxy.host property. Enabling header 
validation requires configuring the
+application with HTTPS. Reverse proxy servers in front of Apache NiFi are 
responsible for filtering input request
+headers and providing allowed values to the application.
+
+{{</ vulnerability >}}
+
 {{< vulnerability
 id="CVE-2026-44914"
 title="Missing Authorization of Restricted Permissions when Replacing Flow 
Contents"

Reply via email to