CVE-2026-44911: CWE-863 Incorrect Authorization in Apache Software Foundation Apache NiFi
Apache NiFi versions 1.15.0 through 2.9.0 contain an authorization vulnerability where clients with read access can submit proposed configuration properties that override current configurations during component configuration verification requests. This allows such users to invoke predefined verification methods with alternative settings. The vulnerability does not affect installations that enforce distinct authorization levels for viewing and modifying component configurations. Upgrading to version 2.10.0 mitigates this issue by requiring write access for submitting configuration verification requests.
AI Analysis
Technical Summary
CVE-2026-44911 is an incorrect authorization vulnerability (CWE-863) in Apache NiFi affecting versions 1.15.0 through 2.9.0. The flaw allows users with read access to submit proposed configuration properties that override existing configurations during verification requests, enabling them to invoke verification methods with altered settings. This occurs because authorization handling does not properly restrict submission of configuration verification requests to users with higher privileges. The vulnerability is mitigated in Apache NiFi 2.10.0, which enforces write access requirements for such requests.
Potential Impact
Users with read access can submit configuration verification requests with proposed properties that override current configurations, potentially allowing unauthorized invocation of verification methods with alternative settings. This could lead to unauthorized configuration testing or information disclosure depending on the environment. However, installations that differentiate authorization levels for viewing and modifying configurations are not affected. The CVSS score is low (2.3), indicating limited impact.
Mitigation Recommendations
Upgrade Apache NiFi to version 2.10.0 or later, which requires write access to submit configuration verification requests, effectively mitigating this vulnerability. If upgrading is not immediately possible, ensure that your NiFi installation enforces different authorization levels for viewing and modifying component configurations to prevent exploitation. Patch status is not explicitly confirmed beyond the recommendation to upgrade to 2.10.0; check the official Apache NiFi advisory for the latest remediation guidance.
CVE-2026-44911: CWE-863 Incorrect Authorization in Apache Software Foundation Apache NiFi
Description
Apache NiFi versions 1.15.0 through 2.9.0 contain an authorization vulnerability where clients with read access can submit proposed configuration properties that override current configurations during component configuration verification requests. This allows such users to invoke predefined verification methods with alternative settings. The vulnerability does not affect installations that enforce distinct authorization levels for viewing and modifying component configurations. Upgrading to version 2.10.0 mitigates this issue by requiring write access for submitting configuration verification requests.
CVSS v4.0
Score 2.3low
Affected software
pkg:maven/Apache Software Foundation/org.apache.nifi:nifi-web-apiRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-44911 is an incorrect authorization vulnerability (CWE-863) in Apache NiFi affecting versions 1.15.0 through 2.9.0. The flaw allows users with read access to submit proposed configuration properties that override existing configurations during verification requests, enabling them to invoke verification methods with altered settings. This occurs because authorization handling does not properly restrict submission of configuration verification requests to users with higher privileges. The vulnerability is mitigated in Apache NiFi 2.10.0, which enforces write access requirements for such requests.
Potential Impact
Users with read access can submit configuration verification requests with proposed properties that override current configurations, potentially allowing unauthorized invocation of verification methods with alternative settings. This could lead to unauthorized configuration testing or information disclosure depending on the environment. However, installations that differentiate authorization levels for viewing and modifying configurations are not affected. The CVSS score is low (2.3), indicating limited impact.
Mitigation Recommendations
Upgrade Apache NiFi to version 2.10.0 or later, which requires write access to submit configuration verification requests, effectively mitigating this vulnerability. If upgrading is not immediately possible, ensure that your NiFi installation enforces different authorization levels for viewing and modifying component configurations to prevent exploitation. Patch status is not explicitly confirmed beyond the recommendation to upgrade to 2.10.0; check the official Apache NiFi advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-05-08T03:42:57.928Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a38edaaeed863c81e7bf7b7
Added to database: 06/22/2026, 08:09:14 UTC
Last enriched: 06/22/2026, 08:24:34 UTC
Last updated: 06/22/2026, 08:51:50 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.