Apache NiFi - Information Disclosure

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases wher...

CVE-2026-54665

Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the standard Host header without validating the values provided. Apache NiFi 1.6.0 introduced a configurable application property to restrict values provided in...

CVE-2026-44911

Authorization handling for component configuration verification requests in Apache NiFi 1.15.0 through 2.9.0 allows clients with read access to submit proposed configuration properties. The proposed properties override current configuration, enabling users with read access to invoke predefined...

CVE-2026-44913

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not...

EUVD-2026-38219

Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required, but framework authorization did not...

CVE-2026-44914

Apache NiFi versions 1.12.0–2.9.0 are vulnerable to missing authorization when replacing Process Groups that include extension components with the Restricted annotation. The Restricted annotation signals higher privileges, but framework authorization did not enforce restricted status during repla...

CVE-2026-44911 Apache NiFi: Incorrect Authorization for Configuration Verification Requests

Authorization handling for component configuration verification requests in Apache NiFi 1.15.0 through 2.9.0 allows clients with read access to submit proposed configuration properties. The proposed properties override current configuration, enabling users with read access to invoke predefined...

CVE-2026-44911

CVE-2026-44911 affects Apache NiFi 1.15.0–2.9.0 where authorization for component configuration verification requests is insufficient: users with read access can submit proposed configuration properties, potentially overriding current settings and invoking verification methods with altered parame...

CVE-2026-44913

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not...

EUVD-2026-38217

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not...

CVE-2026-44913

CVE-2026-44913 concerns Apache NiFi’s CaptureChangeMySQL Processor. The vulnerability arises from improper escaping of database table names, enabling SQL injection through crafted naming in NiFi versions 1.2.0–2.9.0. The issue can be partially mitigated by prior hardening (e.g., manual quoted bou...

CVE-2026-54665

Apache NiFi (versions 0.0.1–2.9.0) is affected by an input-validation flaw where URL redirection/data references can be influenced by non-standard host headers. NiFi 1.6.0 added a proxy-host header validation mechanism, but validation was not applied to alternative headers (X-ProxyHost, X-Forward...

GHSA-97JF-46M3-8953 vulnerabilities

Vulnerabilities for packages: apache-nifi...

CVE-2026-33117 vulnerabilities

Vulnerabilities for packages: apache-nifi...

CVE-2026-33117 vulnerabilities

Vulnerabilities for packages: apache-nifi...

GHSA-97JF-46M3-8953 vulnerabilities

Vulnerabilities for packages: apache-nifi...

CLEANSTART-2026-AV84730 Security fixes for CVE-2026-1605, CVE-2026-22732, CVE-2026-24281, CVE-2026-33870, CVE-2026-33871, CVE-2026-3505, CVE-2026-5588, ghsa-355h-qmc2-wpwf, ghsa-3677-xxcr-wjqv, ghsa-72hv-8253-57qq, ghsa-c3fc-8qff-9hwx, ghsa-cj8j-37rh-8475, ghsa-cvc6-q2cp-2xhw, ghsa-qqpg-mvqg-649v, ghsa-vxf7-qj7q-83fh, ghsa-wg6q-6289-32hp, ghsa-x2wq-9x2f-fhj7, ghsa-x44p-gvrj-pj2r applied in versions: 2.7.2-r0, 2.7.2-r2, 2.9.0-r0, 2.9.0-r1

Multiple security vulnerabilities affect the apache-nifi package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-TK07726 Security fixes for CVE-2026-1605, CVE-2026-22732, CVE-2026-24281, CVE-2026-33870, CVE-2026-33871, CVE-2026-3505, CVE-2026-5588, ghsa-355h-qmc2-wpwf, ghsa-3677-xxcr-wjqv, ghsa-72hv-8253-57qq, ghsa-c3fc-8qff-9hwx, ghsa-cj8j-37rh-8475, ghsa-qqpg-mvqg-649v, ghsa-wg6q-6289-32hp, ghsa-x2wq-9x2f-fhj7, ghsa-x44p-gvrj-pj2r applied in versions: 2.7.2-r0, 2.7.2-r2, 2.7.2-r3, 2.7.2-r4

Multiple security vulnerabilities affect the apache-nifi package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-DY69070 Security fixes for CVE-2026-1605, CVE-2026-22732, CVE-2026-24281, CVE-2026-33870, CVE-2026-33871, CVE-2026-3505, CVE-2026-5588, ghsa-2m67-wjpj-xhg9, ghsa-3677-xxcr-wjqv, ghsa-6v53-7c9g-w56r, ghsa-72hv-8253-57qq, ghsa-c3fc-8qff-9hwx, ghsa-p93r-85wp-75v3, ghsa-qqpg-mvqg-649v, ghsa-wg6q-6289-32hp, ghsa-x2wq-9x2f-fhj7, ghsa-x44p-gvrj-pj2r applied in versions: 2.6.0-r0, 2.7.2-r0, 2.7.2-r2

Multiple security vulnerabilities affect the apache-nifi package. These issues are resolved in later releases. See references for individual vulnerability details...

CVE-2026-40976 vulnerabilities

Vulnerabilities for packages: apache-nifi-registry...