Code Execution Issue in Apache NiFi's TinkerpopClientService
CVE-2026-39816

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Nifi
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-39816?

The TinkerpopClientService component of Apache NiFi versions 2.0.0-M1 through 2.8.0 lacks the necessary Restricted annotation for the Execute Code Required Permission. This deficiency allows unauthorized users to configure the service, particularly in environments where fine-grained authorization is utilized. The service facilitates ByteCode Submission for executing Groovy Scripts, thereby posing a significant risk if exploited. Users are advised to upgrade to Apache NiFi 2.9.0 or later to resolve this vulnerability.

Affected Version(s)

Apache NiFi 2.0.0-M1 <= 2.8.0

References

https://lists.apache.org/thread/gh9g7xwvv4l20gzff6q3367sn...

vendor-advisory

CVSS V4

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

John Walker from ZeroPath

CVE-2026-39816 Data

JSON