It allows less-privileged authenticated users to modify configuration properties on “restricted” extension components added to a flow by more privileged administrators. In tiered-permission environments, this weakens critical security controls.
NiFi relies on the Restricted annotation to enforce extra privileges for sensitive components. These components often interact with the operating system, execute code, access external services, or perform other high-risk actions that admins tightly control.
The vulnerability stems from a missing authorization check during property updates on these components.
| CVE ID | Severity | Affected Versions | Description |
|---|---|---|---|
| CVE-2026-25903 | High | 1.1.0 to 2.7.2 | Missing authorization check for restricted permissions on extension component property updates, allowing bypass by low-privileged users. |
While adding a restricted component requires elevated privileges, the framework skips re-verifying restricted status during later updates.
A user lacking add permissions can thus alter properties on an existing component, bypassing authorization entirely.
This creates a privilege escalation path in flows where restricted components handle sensitive operations like script execution or system calls.
Not all setups face equal risk. Deployments without differentiated authorization for restricted components remain safe, as standard write permissions provide the main boundary.
However, organizations using role-based access, such as permitting flow edits by operators while reserving restricted controls for admins, face real privilege boundary violations.
Attackers could reconfigure components to exfiltrate data, inject malicious logic, or degrade isolation.
Apache’s advisory urges upgrading to NiFi 2.8.0, which restores proper checks on updates. Apache NiFi Security Advisory.
As interim steps, review access policies for flow modifications, enable auditing of component changes, and test that low-privilege roles cannot alter restricted settings. Scan deployments for unauthorized property tweaks since January 2026.
This issue highlights broader risks in dataflow platforms like NiFi, where fine-grained permissions underpin zero-trust models.
Data processing pipelines in enterprises, cloud environments, and IoT setups often depend on such controls.
Prompt patching prevents exploitation chains, especially alongside other NiFi flaws like path traversal or DoS vectors reported recently.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Critical Apache NiFi Vulnerabilities Enable Authorization Bypass appeared first on Cyber Security News.
Former Spider-Man Andrew Garfield has shut down the suggestion he is secretly in Spider-Man: Brand…
Details of an unannounced Tales Of remaster have popped up on the European rating board,…
The Boys creator and showrunner Eric Kripke has revealed the real-world inspiration behind Firecracker’s fate,…
Nintendo has dropped a surprise update for Super Mario Galaxy 2 that adds a new…
It’s been nearly three years since Mortal Kombat 1 came out, but developer NetherRealm has…
The Simpsons has mocked or referenced literature over its many seasons, usually through a book…
This website uses cookies.