This is an automated email from the ASF dual-hosted git repository.

exceptionfactory pushed a commit to branch main-staging
in repository https://gitbox.apache.org/repos/asf/nifi-site.git

commit 23c1363df46a5c303cac5479c5ecf681826ebdfe
Author: exceptionfactory <[email protected]>
AuthorDate: Sat Jun 20 11:40:15 2026 -0500

    NIFI-15875 Published CVE-2026-44911
    
    (cherry picked from commit 04dddcb1f45d7c693786f32cbce3e2732d73d2f8)
---
 content/documentation/security.md | 32 ++++++++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/content/documentation/security.md 
b/content/documentation/security.md
index 003c9b03..00ba5cd6 100644
--- a/content/documentation/security.md
+++ b/content/documentation/security.md
@@ -71,6 +71,27 @@ Severity ratings represent the determination of project 
members based on an eval
 
 The following announcements include published vulnerabilities that apply 
directly to Apache NiFi components.
 
+{{< vulnerability
+id="CVE-2026-44911"
+title="Incorrect Authorization for Configuration Verification Requests"
+published="2026-06-20"
+severity="Low"
+products="Apache NiFi"
+affectedVersions="1.15.0 to 2.9.0"
+fixedVersion="2.10.0"
+jira="NIFI-15875"
+pullRequest="11179"
+reporter="Kaixuan Li from Nanyang Technological University" >}}
+
+Authorization handling for component configuration verification requests in 
Apache NiFi 1.15.0 through 2.9.0 allows
+clients with read access to submit proposed configuration properties. The 
proposed properties override current
+configuration, enabling users with read access to invoke predefined 
verification methods with alternative settings.
+Apache NiFi installations that do not implement different levels of 
authorization for viewing and modifying component
+configuration are not subject to this vulnerability. Upgrading to Apache NiFi 
2.10.0 is the recommended mitigation,
+requiring write access to submit configuration verification requests.
+
+{{</ vulnerability >}}
+
 {{< vulnerability
 id="CVE-2026-39816"
 title="Missing Execute Code Required Permission on TinkerpopClientService"
@@ -83,10 +104,13 @@ jira="NIFI-15800"
 pullRequest="11108"
 reporter="John Walker from ZeroPath" >}}
 
-The optional extension component TinkerpopClientService is missing the 
Restricted annotation with the Execute Code Required Permission in Apache NiFi 
2.0.0-M1 through 2.8.0. The TinkerpopClientService
-supports configuration of ByteCode Submission for the Script Submission Type, 
enabling Groovy Script execution in the service prior to submitting the query. 
The missing Restricted annotation allows
-users without the Execute Code Permission to configure the Service in 
installations that use fine-grained authorization and have the optional 
TinkerpopClientService installed. Apache NiFi
-installations that do not have the nifi-other-graph-services-nar installed are 
not subject to this vulnerability. Upgrading to Apache NiFi 2.9.0 is the 
recommended mitigation.
+The optional extension component TinkerpopClientService is missing the 
Restricted annotation with the Execute Code
+Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The 
TinkerpopClientService supports configuration of ByteCode
+Submission for the Script Submission Type, enabling Groovy Script execution in 
the service prior to submitting the
+query. The missing Restricted annotation allows users without the Execute Code 
Permission to configure the Service in
+installations that use fine-grained authorization and have the optional 
TinkerpopClientService installed. Apache NiFi
+installations that do not have the nifi-other-graph-services-nar installed are 
not subject to this vulnerability.
+Upgrading to Apache NiFi 2.9.0 is the recommended mitigation.
 
 {{</ vulnerability >}}
 

Reply via email to