Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN176
_____________________________________________________________________

DATE                : 17/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache NiFi versions prior
                                 to 2.8.0.

=====================================================================
https://lists.apache.org/thread/jf6bkt9sk6xvshy8xyxv3vtlxd340345
_____________________________________________________________________

CVE-2026-25903: Apache NiFi: Missing Authorization of Restricted 
Permissions for Component Updates

Severity: 

Affected versions:

- Apache NiFi (org.apache.nifi:nifi-web-api) 1.1.0 before 2.8.0

Description:

Apache NiFi 1.1.0 through 2.7.2 are missing authorization when 
updating configuration properties on extension components that have 
specific Required Permissions based on the Restricted annotation. The 
Restricted annotation indicates additional privileges required to add 
the annotated component to the flow configuration, but framework 
authorization did not check restricted status when updating a 
component previously added. The missing authorization requires a more 
privileged user to add a restricted component to the flow 
configuration, but permits a less privileged user to make property 
configuration changes. Apache NiFi installations that do not implement 
different levels of authorization for Restricted components are not 
subject to this vulnerability because the framework enforces write 
permissions as the security boundary. Upgrading to Apache NiFi 2.8.0 
is the recommended mitigation.

This issue is being tracked as NIFI-15567 

Credit:

David Handermann (finder)

References:

https://nifi.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-25903
https://issues.apache.org/jira/browse/NIFI-15567

Timeline:

2026-02-06: reported

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================