CVE-2026-39816: CWE-862 Missing Authorization in Apache Software Foundation Apache NiFi
The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy Script execution in the service prior to submitting the query. The missing Restricted annotation allows users without the Execute Code Permission to configure the Service in installations that use fine-grained authorization and have the optional TinkerpopClientService installed. Apache NiFi installations that do not have the nifi-other-graph-services-nar installed are not subject to this vulnerability. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation.
AI Analysis
Technical Summary
The vulnerability CVE-2026-39816 in Apache NiFi arises from the TinkerpopClientService missing the Restricted annotation that enforces Execute Code Required Permission. This service supports ByteCode Submission for Script Submission Type, enabling Groovy script execution before query submission. Due to the missing annotation, users without Execute Code permission can configure the service in environments using fine-grained authorization, potentially leading to unauthorized code execution. This affects Apache NiFi versions 2.0.0-M1 through 2.8.0 if the optional nifi-other-graph-services-nar is installed. The recommended mitigation is upgrading to Apache NiFi 2.9.0.
Potential Impact
Users with limited privileges but without Execute Code permission can configure the TinkerpopClientService to submit Groovy scripts, potentially leading to unauthorized code execution. This elevates the risk of privilege escalation and unauthorized actions within affected Apache NiFi installations that have the optional graph services component installed.
Mitigation Recommendations
Upgrading to Apache NiFi version 2.9.0 or later is the recommended mitigation to address this vulnerability. Patch status is not explicitly confirmed in the advisory, but the upgrade recommendation indicates an official fix is available in 2.9.0. Installations not using the nifi-other-graph-services-nar component are not affected and require no action related to this vulnerability.
CVE-2026-39816: CWE-862 Missing Authorization in Apache Software Foundation Apache NiFi
Description
The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy Script execution in the service prior to submitting the query. The missing Restricted annotation allows users without the Execute Code Permission to configure the Service in installations that use fine-grained authorization and have the optional TinkerpopClientService installed. Apache NiFi installations that do not have the nifi-other-graph-services-nar installed are not subject to this vulnerability. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-39816 in Apache NiFi arises from the TinkerpopClientService missing the Restricted annotation that enforces Execute Code Required Permission. This service supports ByteCode Submission for Script Submission Type, enabling Groovy script execution before query submission. Due to the missing annotation, users without Execute Code permission can configure the service in environments using fine-grained authorization, potentially leading to unauthorized code execution. This affects Apache NiFi versions 2.0.0-M1 through 2.8.0 if the optional nifi-other-graph-services-nar is installed. The recommended mitigation is upgrading to Apache NiFi 2.9.0.
Potential Impact
Users with limited privileges but without Execute Code permission can configure the TinkerpopClientService to submit Groovy scripts, potentially leading to unauthorized code execution. This elevates the risk of privilege escalation and unauthorized actions within affected Apache NiFi installations that have the optional graph services component installed.
Mitigation Recommendations
Upgrading to Apache NiFi version 2.9.0 or later is the recommended mitigation to address this vulnerability. Patch status is not explicitly confirmed in the advisory, but the upgrade recommendation indicates an official fix is available in 2.9.0. Installations not using the nifi-other-graph-services-nar component are not affected and require no action related to this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-07T16:21:21.196Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fdede4cbff5d8610dd27a1
Added to database: 5/8/2026, 2:06:28 PM
Last enriched: 5/8/2026, 2:22:52 PM
Last updated: 5/9/2026, 5:44:10 AM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.