Authorization Bypass in Apache NiFi Process Groups
CVE-2026-44914

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Nifi
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-44914?

Apache NiFi versions 1.12.0 to 2.9.0 have a vulnerability where authorization checks are incomplete when replacing Process Groups that include components marked with the Restricted annotation. Users with general write access can exploit this flaw to add Restricted components without the necessary permissions, potentially compromising the intended access controls. To mitigate this risk, it is recommended to upgrade to Apache NiFi 2.9.0 or later, which enforces the correct authorization measures.

Affected Version(s)

Apache NiFi 1.12.0 <= 2.9.0

References

https://lists.apache.org/thread/ydr34t03xd1n0t9oogpzogjrd...

vendor-advisory

CVSS V4

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
May 8, 2026

Credit

Roberto Suggi Liverani from NATO Cyber Security Centre (NCSC)

CVE-2026-44914 Data

JSON