GHSA-r2g5-993q-664g · Severity: high — Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that...
Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required, but framework authorization did not check restricted status when handling requests to replace Process Groups. The missing authorization permits a user with general write access to add components with Restricted status. Apache NiFi installations that do not implement specific authorization for Restricted components are not subject to this vulnerability because the framework enforces write permissions as the security boundary. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation, which removes the implementation of Restricted status authorization from the framework.
Conclusion & alert: CVE-2026-44914 is rated Moderate Risk (41/100): CVSS High severity, with low exploitation likelihood (EPSS 0.39%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-24 | 0.29% | 0.39% | +0.11% |
| 2 | 2026-06-23 | — | 0.29% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 4.0 | HIGH |
|
— | — | [email protected] |
| 7.2 | 3.1 | HIGH |
|
1.2 | 5.9 | [email protected] |
GHSA-r2g5-993q-664g · Severity: high — Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that...
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/ydr34t03xd1n0t9oogpzogjrd5y93838 | Mailing List Vendor Advisory |
| http://www.openwall.com/lists/oss-security/2026/06/20/6 | Mailing List Third Party Advisory |