CVE-2026-25903

Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required to add the annotated component to the flow configuration, but framework authorization did not check restricted status when updating a component previously added. The missing authorization requires a more privileged user to add a restricted component to the flow configuration, but permits a less privileged user to make property configuration changes. Apache NiFi installations that do not implement different levels of authorization for Restricted components are not subject to this vulnerability because the framework enforces write permissions as the security boundary. Upgrading to Apache NiFi 2.8.0 is the recommended mitigation.

CVSS v3 6.6 MEDIUM

6.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.7 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/jf6bkt9sk6xvshy8xyxv3vtlxd340345	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/02/16/1	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*

History

30 Mar 2026, 15:20

Type	Values Removed	Values Added
CPE		cpe:2.3:a:apache:nifi::::::::
References	~~() https://lists.apache.org/thread/jf6bkt9sk6xvshy8xyxv3vtlxd340345 -~~	() https://lists.apache.org/thread/jf6bkt9sk6xvshy8xyxv3vtlxd340345 - Mailing List, Vendor Advisory
References	~~() http://www.openwall.com/lists/oss-security/2026/02/16/1 -~~	() http://www.openwall.com/lists/oss-security/2026/02/16/1 - Mailing List, Third Party Advisory
First Time		Apache nifi Apache
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.6

Information

Published : 2026-02-17 10:15

Updated : 2026-03-30 15:20

NVD link : CVE-2026-25903

Mitre link : CVE-2026-25903

CVE.ORG link : CVE-2026-25903

JSON object : View

Products Affected

apache

nifi

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-25903", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.7}], "cvssMetricV40": [{"type": "Secondary", "source": "security@apache.org", "cvssData": {"Safety": "PRESENT", "version": "4.0", "Recovery": "IRRECOVERABLE", "baseScore": 8.7, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:I/V:C/RE:M/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-17T10:15:57.950", "references": [{"url": "https://lists.apache.org/thread/jf6bkt9sk6xvshy8xyxv3vtlxd340345", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2026/02/16/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required to add the annotated component to the flow configuration, but framework authorization did not check restricted status when updating a component previously added. The missing authorization requires a more privileged user to add a restricted component to the flow configuration, but permits a less privileged user to make property configuration changes. Apache NiFi installations that do not implement different levels of authorization for Restricted components are not subject to this vulnerability because the framework enforces write permissions as the security boundary. Upgrading to Apache NiFi 2.8.0 is the recommended mitigation."}, {"lang": "es", "value": "Apache NiFi 1.1.0 hasta 2.7.2 carecen de autorizaci\u00f3n al actualizar propiedades de configuraci\u00f3n en componentes de extensi\u00f3n que tienen Permisos Requeridos espec\u00edficos basados en la anotaci\u00f3n Restricted. La anotaci\u00f3n Restricted indica privilegios adicionales requeridos para a\u00f1adir el componente anotado a la configuraci\u00f3n del flujo, pero la autorizaci\u00f3n del framework no verific\u00f3 el estado restringido al actualizar un componente a\u00f1adido previamente. La autorizaci\u00f3n faltante requiere que un usuario m\u00e1s privilegiado a\u00f1ada un componente restringido a la configuraci\u00f3n del flujo, pero permite a un usuario menos privilegiado realizar cambios en la configuraci\u00f3n de propiedades. Las instalaciones de Apache NiFi que no implementan diferentes niveles de autorizaci\u00f3n para componentes Restricted no est\u00e1n sujetas a esta vulnerabilidad porque el framework impone permisos de escritura como el l\u00edmite de seguridad. Actualizar a Apache NiFi 2.8.0 es la mitigaci\u00f3n recomendada."}], "lastModified": "2026-03-30T15:20:58.423", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9B62893-9A7C-4499-8515-12D3617D09C4", "versionEndExcluding": "2.8.0", "versionStartIncluding": "1.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}