Apache NiFi information disclosure by XXE
Description
In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache NiFi before 1.15.1 allows authenticated users to disclose sensitive information via XXE in the TransformXML processor.
Vulnerability
The TransformXML processor in Apache NiFi before version 1.15.1 allows an authenticated user to configure an XSLT file. If the XSLT file includes malicious external entity (XXE) calls, it may reveal sensitive information. This issue is tracked as NIFI-9399 [1][3].
Exploitation
An attacker must be an authenticated user with permission to configure the TransformXML processor. The attacker provides a crafted XSLT file that includes external entity references. When the processor processes the XSLT, the XML parser resolves the external entities, potentially reading local files or making network requests [2][3].
Impact
Successful exploitation leads to information disclosure. The attacker can read sensitive files from the NiFi server's file system or access internal network resources, depending on the external entity definitions. The privilege level is that of an authenticated user, but the disclosure can expose credentials or configuration data [1][2].
Mitigation
The vulnerability is fixed in Apache NiFi version 1.15.1, released on December 17, 2021 [1][3]. Users should upgrade to 1.15.1 or later. No workaround is documented; upgrading is the recommended mitigation. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.nifi:nifiMaven | < 1.15.1 | 1.15.1 |
Affected products
3- osv-coords2 versions
>= 0.1.0, < 1.15.1+ 1 more
- (no CPE)range: >= 0.1.0, < 1.15.1
- (no CPE)range: < 1.15.1
- Apache Software Foundation/Apache NiFiv5Range: Apache NiFi
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-rq96-qhc5-vm4rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-44145ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/12/17/1ghsamailing-listx_refsource_MLISTWEB
- nifi.apache.org/security.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.