High severity8.8NVD Advisory· Published May 8, 2026· Updated May 9, 2026

CVE-2026-39816

Description

The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy Script execution in the service prior to submitting the query. The missing Restricted annotation allows users without the Execute Code Permission to configure the Service in installations that use fine-grained authorization and have the optional TinkerpopClientService installed. Apache NiFi installations that do not have the nifi-other-graph-services-nar installed are not subject to this vulnerability. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation.

Affected products

Apache/Nifi2 versions
cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*range: >=2.0.0,<2.9.0
- (no CPE)range: >=2.0.0-M1 <=2.8.0

Patches

72fab7dde74e

NIFI-15800 Added Execute Code Permission to TinkerpopClientService (#11108)

https://github.com/apache/nifiDavid HandermannApr 6, 2026via ghsa

commit

1 file changed · +11 −0

nifi-extension-bundles/nifi-graph-bundle/nifi-other-graph-services/src/main/java/org/apache/nifi/graph/TinkerpopClientService.java

+11 −0 modified

@@ -27,12 +27,15 @@
 import io.netty.handler.ssl.JdkSslContext;
 import org.apache.commons.codec.digest.DigestUtils;
 import org.apache.nifi.annotation.behavior.RequiresInstanceClassLoading;
+import org.apache.nifi.annotation.behavior.Restricted;
+import org.apache.nifi.annotation.behavior.Restriction;
 import org.apache.nifi.annotation.documentation.CapabilityDescription;
 import org.apache.nifi.annotation.documentation.Tags;
 import org.apache.nifi.annotation.lifecycle.OnDisabled;
 import org.apache.nifi.annotation.lifecycle.OnEnabled;
 import org.apache.nifi.components.AllowableValue;
 import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.components.RequiredPermission;
 import org.apache.nifi.components.ValidationContext;
 import org.apache.nifi.components.ValidationResult;
 import org.apache.nifi.components.Validator;
@@ -72,6 +75,14 @@
         "Bytecode submission allows much more flexibility. When providing a jar, custom serializers can be used and pre-compiled graph logic can be utilized by groovy scripts" +
         "provided by processors such as the ExecuteGraphQueryRecord.")
 @RequiresInstanceClassLoading
+@Restricted(
+        restrictions = {
+                @Restriction(
+                        requiredPermission = RequiredPermission.EXECUTE_CODE,
+                        explanation = "Enables configuration of scripted queries"
+                )
+        }
+)
 public class TinkerpopClientService extends AbstractControllerService implements GraphClientService {
     public static final String NOT_SUPPORTED = "NOT_SUPPORTED";
     private static final AllowableValue BYTECODE_SUBMISSION = new AllowableValue("bytecode-submission", "ByteCode Submission",

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2026/04/13/8nvdMailing ListThird Party Advisory
github.com/advisories/GHSA-2j9m-25xv-mp6rghsaADVISORY
lists.apache.org/thread/gh9g7xwvv4l20gzff6q3367snf35ctcbnvdMailing ListVendor Advisory
github.com/apache/nifi/commit/72fab7dde74edfd1063b57e87b0334340c1fbe93ghsa
github.com/apache/nifi/pull/11108ghsa
nvd.nist.gov/vuln/detail/CVE-2026-39816ghsa
zeropath.com/blog/nifi-cve-2026-39816-privesc-rcenvd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000