Nifi
by Apache
Source repositories
CVEs (12)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-5636 | Cri | 0.64 | 9.8 | 0.04 | Oct 19, 2017 | In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to… | ||
| CVE-2026-39816 | Hig | 0.50 | 8.8 | 0.01 | May 8, 2026 | The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type,… | ||
| CVE-2017-5635 | Hig | 0.49 | 7.5 | 0.03 | Oct 19, 2017 | In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user. | ||
| CVE-2017-7667 | Hig | 0.49 | 7.5 | 0.01 | Jun 12, 2017 | Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin. | ||
| CVE-2017-12623 | Med | 0.42 | 6.5 | 0.02 | Oct 10, 2017 | An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should… | ||
| CVE-2017-7665 | Med | 0.40 | 6.1 | 0.04 | Jun 12, 2017 | In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient. | ||
| CVE-2016-8748 | Med | 0.35 | 5.4 | 0.02 | Oct 19, 2017 | In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM. | ||
| CVE-2026-44914 | 0.00 | — | 0.00 | Jun 22, 2026 | Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required, but framework… | |||
| CVE-2026-44911 | 0.00 | — | 0.00 | Jun 22, 2026 | Authorization handling for component configuration verification requests in Apache NiFi 1.15.0 through 2.9.0 allows clients with read access to submit proposed configuration properties. The proposed properties override current configuration, enabling users with read access to… | |||
| CVE-2026-44913 | 0.00 | — | 0.00 | Jun 22, 2026 | Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection… | |||
| CVE-2026-54665 | 0.00 | — | 0.00 | Jun 22, 2026 | Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the standard Host header without validating the values provided. Apache NiFi 1.6.0 introduced a configurable application property to restrict… | |||
| CVE-2025-66524 | 0.00 | — | 0.00 | Dec 19, 2025 | Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and… |
- risk 0.64cvss 9.8epss 0.04
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to…
- risk 0.50cvss 8.8epss 0.01
The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type,…
- risk 0.49cvss 7.5epss 0.03
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user.
- risk 0.49cvss 7.5epss 0.01
Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin.
- risk 0.42cvss 6.5epss 0.02
An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should…
- risk 0.40cvss 6.1epss 0.04
In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient.
- risk 0.35cvss 5.4epss 0.02
In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM.
- CVE-2026-44914Jun 22, 2026risk 0.00cvss —epss 0.00
Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required, but framework…
- CVE-2026-44911Jun 22, 2026risk 0.00cvss —epss 0.00
Authorization handling for component configuration verification requests in Apache NiFi 1.15.0 through 2.9.0 allows clients with read access to submit proposed configuration properties. The proposed properties override current configuration, enabling users with read access to…
- CVE-2026-44913Jun 22, 2026risk 0.00cvss —epss 0.00
Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection…
- CVE-2026-54665Jun 22, 2026risk 0.00cvss —epss 0.00
Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the standard Host header without validating the values provided. Apache NiFi 1.6.0 introduced a configurable application property to restrict…
- CVE-2025-66524Dec 19, 2025risk 0.00cvss —epss 0.00
Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and…