GHSA-8vm2-c32j-mvfr · Severity: medium — Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request...
Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the standard Host header without validating the values provided. Apache NiFi 1.6.0 introduced a configurable application property to restrict values provided in the HTTP Host header, but did not apply the validation to alternative Proxy and Forwarded headers. The absence of proxy host header validation allowed a client to instruct Apache NiFi web services to construct invalid qualified URLs for redirection or data references. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which implements validation for the X-ProxyHost and X-Forwarded-Host HTTP request headers based on the nifi.web.proxy.host property. Enabling header validation requires configuring the application with HTTPS. Reverse proxy servers in front of Apache NiFi are responsible for filtering input request headers and providing allowed values to the application.
Conclusion & alert: CVE-2026-54665 is rated Low Risk (31.6/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.27%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-24 | 0.19% | 0.27% | +0.08% |
| 2 | 2026-06-23 | — | 0.19% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.3 | 4.0 | MEDIUM |
|
— | — | [email protected] |
| 5.3 | 3.1 | MEDIUM |
|
3.9 | 1.4 | [email protected] |
GHSA-8vm2-c32j-mvfr · Severity: medium — Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request...
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/y0yoblon8f6dp00qz5r90cxq5n6g4j6k | Vendor Advisory Mailing List |
| http://www.openwall.com/lists/oss-security/2026/06/20/7 | Third Party Advisory Mailing List |