This is an automated email from the ASF dual-hosted git repository.

exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi-site.git

commit e791143c9bc7d1fb63f5dde5651592a26c8776d4
Author: exceptionfactory <[email protected]>
AuthorDate: Sat Jun 20 11:44:56 2026 -0500

    NIFI-15845 Published CVE-2026-44914
---
 content/documentation/security.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/content/documentation/security.md 
b/content/documentation/security.md
index 4530e504..56abbf08 100644
--- a/content/documentation/security.md
+++ b/content/documentation/security.md
@@ -71,6 +71,29 @@ Severity ratings represent the determination of project 
members based on an eval
 
 The following announcements include published vulnerabilities that apply 
directly to Apache NiFi components.
 
+{{< vulnerability
+id="CVE-2026-44914"
+title="Missing Authorization of Restricted Permissions when Replacing Flow 
Contents"
+published="2026-06-20"
+severity="High"
+products="Apache NiFi"
+affectedVersions="1.12.0 to 2.9.0"
+fixedVersion="2.10.0"
+jira="NIFI-15845"
+pullRequest="11148"
+reporter="Roberto Suggi Liverani from NATO Cyber Security Centre (NCSC)" >}}
+
+Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing 
Process Groups that include extension
+components with specific Required Permissions based on the Restricted 
annotation. The Restricted annotation indicates
+additional privileges required, but framework authorization did not check 
restricted status when handling requests to
+replace Process Groups. The missing authorization permits a user with general 
write access to add components with
+Restricted status. Apache NiFi installations that do not implement specific 
authorization for Restricted components are
+not subject to this vulnerability because the framework enforces write 
permissions as the security boundary. Upgrading
+to Apache NiFi 2.9.0 is the recommended mitigation, which removes the 
implementation of Restricted status authorization
+from the framework.
+
+{{</ vulnerability >}}
+
 {{< vulnerability
 id="CVE-2026-44913"
 title="Improper Escaping of Table Names in CaptureChangeMySQL"

Reply via email to