Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-25903
PUBLISHED
More InfoOfficial Page
Assigner-apache
Assigner Org ID-f0158376-9dc2-43b6-827c-5f631a4d8d09
View Known Exploited Vulnerability (KEV) details
Published At-17 Feb, 2026 | 09:54
Updated At-17 Feb, 2026 | 14:29
Rejected At-
▼CVE Numbering Authority (CNA)
Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates

Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required to add the annotated component to the flow configuration, but framework authorization did not check restricted status when updating a component previously added. The missing authorization requires a more privileged user to add a restricted component to the flow configuration, but permits a less privileged user to make property configuration changes. Apache NiFi installations that do not implement different levels of authorization for Restricted components are not subject to this vulnerability because the framework enforces write permissions as the security boundary. Upgrading to Apache NiFi 2.8.0 is the recommended mitigation.

Affected Products
Vendor
The Apache Software FoundationApache Software Foundation
Product
Apache NiFi
Package Name
org.apache.nifi:nifi-web-api
Default Status
unaffected
Versions
Affected
  • From 1.1.0 before 2.8.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:Y/R:I/V:C/RE:M/U:Amber
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:Y/R:I/V:C/RE:M/U:Amber
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
David Handermann
Timeline
EventDate
reported2026-02-06 12:00:00
Event: reported
Date: 2026-02-06 12:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://lists.apache.org/thread/jf6bkt9sk6xvshy8xyxv3vtlxd340345
vendor-advisory
Hyperlink: https://lists.apache.org/thread/jf6bkt9sk6xvshy8xyxv3vtlxd340345
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.openwall.com/lists/oss-security/2026/02/16/1
N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/02/16/1
Resource: N/A
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found