URL Manipulation Vulnerability in Apache NiFi by Apache
CVE-2026-54665

6.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Nifi
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-54665?

A vulnerability exists in Apache NiFi that allows for the construction of invalid qualified URLs using unvalidated HTTP request headers. Although a mitigation was introduced in version 1.6.0 for the standard Host header, alternative headers such as X-ProxyHost and X-Forwarded-Host remain unvalidated in prior versions. This oversight allows clients to influence the application's URL generation, potentially leading to misleading data redirection or unintended data access. To safeguard against this vulnerability, it is crucial for users to upgrade to Apache NiFi 2.10.0, which includes enhanced validation for these headers, and to properly configure the application to use HTTPS.

Affected Version(s)

Apache NiFi 0.0.1 < 2.10.0

References

https://lists.apache.org/thread/y0yoblon8f6dp00qz5r90cxq5...

vendor-advisory

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 15, 2026

Credit

Jose Rivas

CVE-2026-54665 Data

JSON