This is an automated email from the ASF dual-hosted git repository. exceptionfactory pushed a commit to branch main-staging in repository https://gitbox.apache.org/repos/asf/nifi-site.git
commit 23c1363df46a5c303cac5479c5ecf681826ebdfe Author: exceptionfactory <[email protected]> AuthorDate: Sat Jun 20 11:40:15 2026 -0500 NIFI-15875 Published CVE-2026-44911 (cherry picked from commit 04dddcb1f45d7c693786f32cbce3e2732d73d2f8) --- content/documentation/security.md | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/content/documentation/security.md b/content/documentation/security.md index 003c9b03..00ba5cd6 100644 --- a/content/documentation/security.md +++ b/content/documentation/security.md @@ -71,6 +71,27 @@ Severity ratings represent the determination of project members based on an eval The following announcements include published vulnerabilities that apply directly to Apache NiFi components. +{{< vulnerability +id="CVE-2026-44911" +title="Incorrect Authorization for Configuration Verification Requests" +published="2026-06-20" +severity="Low" +products="Apache NiFi" +affectedVersions="1.15.0 to 2.9.0" +fixedVersion="2.10.0" +jira="NIFI-15875" +pullRequest="11179" +reporter="Kaixuan Li from Nanyang Technological University" >}} + +Authorization handling for component configuration verification requests in Apache NiFi 1.15.0 through 2.9.0 allows +clients with read access to submit proposed configuration properties. The proposed properties override current +configuration, enabling users with read access to invoke predefined verification methods with alternative settings. +Apache NiFi installations that do not implement different levels of authorization for viewing and modifying component +configuration are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, +requiring write access to submit configuration verification requests. + +{{</ vulnerability >}} + {{< vulnerability id="CVE-2026-39816" title="Missing Execute Code Required Permission on TinkerpopClientService" @@ -83,10 +104,13 @@ jira="NIFI-15800" pullRequest="11108" reporter="John Walker from ZeroPath" >}} -The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService -supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy Script execution in the service prior to submitting the query. The missing Restricted annotation allows -users without the Execute Code Permission to configure the Service in installations that use fine-grained authorization and have the optional TinkerpopClientService installed. Apache NiFi -installations that do not have the nifi-other-graph-services-nar installed are not subject to this vulnerability. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation. +The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code +Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode +Submission for the Script Submission Type, enabling Groovy Script execution in the service prior to submitting the +query. The missing Restricted annotation allows users without the Execute Code Permission to configure the Service in +installations that use fine-grained authorization and have the optional TinkerpopClientService installed. Apache NiFi +installations that do not have the nifi-other-graph-services-nar installed are not subject to this vulnerability. +Upgrading to Apache NiFi 2.9.0 is the recommended mitigation. {{</ vulnerability >}}
