Apache NiFi 1.1.0-2.7.2: Missing Auth on Updating Restricted Component Properties
CVE-2026-25903 Published on February 17, 2026
Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates
Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required to add the annotated component to the flow configuration, but framework authorization did not check restricted status when updating a component previously added. The missing authorization requires a more privileged user to add a restricted component to the flow configuration, but permits a less privileged user to make property configuration changes. Apache NiFi installations that do not implement different levels of authorization for Restricted components are not subject to this vulnerability because the framework enforces write permissions as the security boundary. Upgrading to Apache NiFi 2.8.0 is the recommended mitigation.
Timeline
reported
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-25903 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-25903
Want to know whenever a new CVE is published for Apache NiFi? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache NiFi:- Version 1.1.0 and below 2.8.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.