Knime

By the Year

In 2026 there have been 1 vulnerability in Knime. Last year, in 2025 Knime had 3 security vulnerabilities published. Right now, Knime is on track to have less security vulnerabilities in 2026 than it did last year.

Recent Knime Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-4649	Mar 24, 2026	Apache Artemis Auth Bypass <=2.52.0 allows message read/injection Apache Artemis before version 2.52.0 is affected by an authentication bypass flaw which allows reading all messages exchanged via the broker and injection of new message ( CVE-2026-27446 https://www.cve.org/CVERecord ). Since KNIME Business Hub uses Apache Artemis it is also affected by the issue. However, since Apache Artemis is not exposed to the outside it requires at least normal user privileges and the ability to execute workflows in an executor. Such a user can install and register a federated mirror without authentication to the original Apache Artemis instance and thereby read all internal messages and inject new messages. The issue affects all versions of KNIME Business Hub. A fixed version of Apache Artemis is shipped with versions 1.18.0, 1.17.4, and 1.16.3. We recommend updating to a fixed version as soon as possible since no workaround is known.
CVE-2025-14262	Dec 08, 2025	KNIME Business Hub: Auth Bypass in Job Save (1.17.0) A wrong permission check in KNIME Business Hub before version 1.17.0 allowed an authenticated user to save jobs of other users as if there were saved by the job owner. The attacker must have permissions to access the jobs but then they were saved into the catalog service using the wrong owner permissions. Therefore it may have been possible to save into spaces where the attacker does not have write permissions. There is no workaround.
CVE-2025-11240	Oct 02, 2025	Open Redirect in KNIME Business Hub <1.16.0 An open redirect vulnerability existed in KNIME Business Hub prior to version 1.16.0. An unauthenticated remote attacker could craft a link to a legitimate KNIME Business Hub installation which, when opened by the user, redirects the user to a page of the attackers choice. This might open the possibility for fishing or other similar attacks. The problem has been fixed in KNIME Business Hub 1.16.0.	Knime Business Hub
CVE-2025-11239	Oct 02, 2025	KNIME Business Hub 1.16.0+ Fix Sensitive Job Data Exposure Potentially sensitive information in jobs on KNIME Business Hub prior to 1.16.0 were visible to all members of the user's team. Starting with KNIME Business Hub 1.16.0 only metadata of jobs is shown to team members. Only the creator of a job can see all information including in- and output data (if present).	Knime Business Hub
CVE-2023-5562	Oct 12, 2023	KNIME Analytics Platform <5.2.0: XSS via Unsanitized JS view nodes An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently. KNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal . However, these are off by default which allows for cross-site scripting attacks. KNIME Analytics Platform 5.2.0 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor's knime.ini.	Knime Analytics Platform
CVE-2023-3140	Jun 07, 2023	KNIME Business Hub <1.4.0 Clickjacking via Missing X-Frame-Options Missing HTTP headers (X-Frame-Options, Content-Security-Policy) in KNIME Business Hub before 1.4.0 has left users vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server.	Business Hub
CVE-2023-2541	Jun 07, 2023	KNIME Business Hub Web Frontend 1.3 Unauth Remote Info Disclosure The Web Frontend of KNIME Business Hub before 1.4.0 allows an unauthenticated remote attacker to access internals about the application such as versions, host names, or IP addresses. No personal information or application data was exposed.	Business Hub
CVE-2022-44749	Nov 24, 2022	KNIME Analytics Platform 3.2+ Zip-Slip Directory Traversal Overwrite A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Analytics Platform 3.2.0 and above can result in arbitrary files being overwritten on the user's system. This vulnerability is also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being opened by a user, can overwrite arbitrary files that the user has write access to. It's not necessary to execute the workflow, opening the workflow is sufficient. The user will notice that something is wrong because an error is being reported but only after the files have already been written. This can impact data integrity (file contents are changed) or cause errors in other software (vital files being corrupted). It can even lead to remote code execution if executable files are being replaced and subsequently executed by the user. In all cases the attacker has to know the location of files on the user's system, though.	Knime Analytics Platform
CVE-2022-44748	Nov 24, 2022	KNIME Server 4.3+ ZipSlip Directory Traversal overwrite files; fixed 4.13.6 A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Server since 4.3.0 can result in arbitrary files being overwritten on the server's file system. This vulnerability is also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being uploaded, can overwrite arbitrary files that the operating system user running the KNIME Server process has write access to. The user must be authenticated and have permissions to upload files to KNIME Server. This can impact data integrity (file contents are changed) or cause errors in other software (vital files being corrupted). It can even lead to remote code execution if executable files are being replaced and subsequently executed by the KNIME Server process user. In all cases the attacker has to know the location of files on the server's file system, though. Note that users that have permissions to upload workflows usually also have permissions to run them on the KNIME Server and can therefore already execute arbitrary code in the context of the KNIME Executor's operating system user. There is no workaround to prevent this vulnerability from being exploited. Updates to fixed versions 4.13.6, 4.14.3, or 4.15.3 are advised.	Knime Server
CVE-2022-31500	Jun 02, 2022	In KNIME Analytics Platform below 4.6.0 In KNIME Analytics Platform below 4.6.0, the Windows installer sets improper filesystem permissions.	Analytics Platform Knime Analytics Platform
CVE-2021-45097	Dec 16, 2021	KNIME Server before 4.12.6 and 4.13.x before 4.13.4 (when installed in unattended mode) keeps the administrator's password in a file without appropriate file access controls KNIME Server before 4.12.6 and 4.13.x before 4.13.4 (when installed in unattended mode) keeps the administrator's password in a file without appropriate file access controls, allowing all local users to read its content.	Knime Server
CVE-2021-45096	Dec 16, 2021	KNIME Analytics Platform before 4.5.0 is vulnerable to XXE (external XML entity injection) KNIME Analytics Platform before 4.5.0 is vulnerable to XXE (external XML entity injection) via a crafted workflow file (.knwf), aka AP-17730.	Knime Analytics Platform
CVE-2021-44726	Dec 08, 2021	KNIME Server before 4.13.4 KNIME Server before 4.13.4 allows XSS via the old WebPortal login page.	Knime Server
CVE-2021-44725	Dec 08, 2021	KNIME Server before 4.13.4 KNIME Server before 4.13.4 allows directory traversal in a request for a client profile.	Knime Server