Apache Nifi vulnerabilities

CVE-2026-25903 [HIGH] CWE-862 CVE-2026-25903: Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required to add the annotated component to the flow configuration, but framework authorization did

CVE-2025-66524 [HIGH] CWE-502 CVE-2025-66524: Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration wi Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without filtering. Unfiltered Java object deserialization does no

CVE-2025-27017 [MEDIUM] CWE-538 CVE-2025-27017: Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoD Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the recommended

CVE-2024-56512 [LOW] CWE-638 CVE-2024-56512: Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Conte Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases where the Process Group did not reference any Parameter valu

CVE-2024-52067 [MEDIUM] CWE-532 CVE-2024-52067: Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Pa Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Parameter Context values during the flow synchronization process. An authorized administrator with access to change logging levels could enable debug logging for framework flow synchronization, causing the application to write Parameter names and values

CVE-2024-45477 [MEDIUM] CWE-79 CVE-2024-45477: Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Para Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session co

CVE-2024-37389 [MEDIUM] CWE-79 CVE-2024-37389: Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the P Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the

CVE-2023-49145 [HIGH] CWE-79 CVE-2023-49145: Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the se

CVE-2023-40037 [MEDIUM] CWE-184 CVE-2023-40037: Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Control Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection

CVE-2023-36542 [HIGH] CWE-94 CVE-2023-36542: Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL re Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration

CVE-2023-34468 [HIGH] CWE-94 CVE-2023-34468: The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1 The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.

CVE-2023-34212 [MEDIUM] CWE-502 CVE-2023-34212: The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Pr The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts

CVE-2023-22832 [HIGH] CWE-611 CVE-2023-22832: The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML Extern The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Dec

CVE-2022-33140 [HIGH] CWE-78 CVE-2022-33140: The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 t The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellU

CVE-2022-29265 [HIGH] CWE-611 CVE-2022-29265: Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default

CVE-2022-26850 [MEDIUM] CWE-668 CVE-2022-26850: When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which

CVE-2021-44145 [MEDIUM] CWE-200 CVE-2021-44145: In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.

CVE-2020-27223 [MEDIUM] CWE-407 CVE-2020-27223: In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty hand In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhaust

CVE-2021-20190 [HIGH] CWE-502 CVE-2021-20190: A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between s A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVE-2020-9486 [HIGH] CWE-532 CVE-2020-9486: In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which inclu In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext.