CVE-2026-44911 | Authorization handling for component configuration verificat… | CVSS 2.3 LOW

Description

Authorization handling for component configuration verification requests in Apache NiFi 1.15.0 through 2.9.0 allows clients with read access to submit proposed configuration properties. The proposed properties override current configuration, enabling users with read access to invoke predefined verification methods with alternative settings. Apache NiFi installations that do not implement different levels of authorization for viewing and modifying component configuration are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, requiring write access to submit configuration verification requests.

Metadata

CVE ID: CVE-2026-44911
State: PUBLISHED
Assigner: apache
Reserved: 2026-05-08 03:42 UTC
Published: 2026-06-22 07:37 UTC
Last updated: 2026-06-22 12:28 UTC
Primary CWE: CWE-863
CWE-863 Incorrect Authorization
Vendor / Product: Apache Software Foundation / Apache NiFi
Sources: cve.org · NVD

Severity & Metrics

2.3 LOW CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/AU:Y/R:U/V:C/RE:L/U:Amber

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Apache Software Foundation	Apache NiFi	—	1.15.0 ≤ 2.9.0

Weakness (CWE)

CWE	Source	Description
CWE-863	cna	CWE-863 Incorrect Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
2.3	LOW	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/AU:Y/R:U/V:C/RE:L/U:Amber

References (1)

https://lists.apache.org/thread/wrj3t4k2bwd2cztyp078f5kj3722qfzy