CVE-2026-25903 — Missing Authorization in Software Foundation Apache Nifi

CWE-862 — Missing Authorization6 documents6 sources

Severity

8.7HIGHNVD

EPSS

0.0%

top 92.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Nifi Apache Nifi

Timeline

PublishedFeb 17

Description

Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required to add the annotated component to the flow configuration, but framework authorization did not check restricted status when updating a component previously added. The missing authorization requires a more privileged user to add a restric…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P

Affected Packages2 packages

▶NVDapache/nifi1.1.0 — 2.8.0

▶CVEListV5apache_software_foundation/apache_nifi1.1.0 — 2.8.0

🔴Vulnerability Details

CVEList

Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates↗2026-02-17

▶

GHSA

Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates↗2026-02-17

▶

OSV

Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates↗2026-02-17

▶

📋Vendor Advisories

Apache

Apache nifi: CVE-2026-25903↗

▶

🕵️Threat Intelligence

Wiz

CVE-2026-25903 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶