Description

Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required to add the annotated component to the flow configuration, but framework authorization did not check restricted status when updating a component previously added. The missing authorization requires a more privileged user to add a restricted component to the flow configuration, but permits a less privileged user to make property configuration changes. Apache NiFi installations that do not implement different levels of authorization for Restricted components are not subject to this vulnerability because the framework enforces write permissions as the security boundary. Upgrading to Apache NiFi 2.8.0 is the recommended mitigation.

INFO

Published Date :

2026-02-17T09:54:44.203Z

Last Modified :

2026-02-17T14:29:12.153Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25903 vulnerability.

Vendors Products
Apache
  • Nifi
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25903.

URL Resource
http://www.openwall.com/lists/oss-security/2026/02/16/1 cve-icon
https://lists.apache.org/thread/jf6bkt9sk6xvshy8xyxv3vtlxd340345 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact