Security Advisory - Published 2026-06-22 - Apache NiFi
Apache NiFi CVE-2026-44914: review restricted component permissions
Apache NiFi 1.12.0 through 2.9.0 can miss a restricted-component authorization check when process group contents are replaced. The practical review is whether users with general write access could add components that normally require a specific restricted permission.
Affected version
| CVE | Product | Affected | CVSS |
|---|---|---|---|
| CVE-2026-44914 | Apache NiFi | 1.12.0 through 2.9.0 | 7.5 |
Owner self-check
grep -Rni 'nifi.version\\|Apache NiFi' /opt/nifi/conf /opt/nifi/logs 2>/dev/null | head -40
grep -Rni 'Restricted\\|restricted\\|replace process group\\|ProcessGroup\\|write access' /opt/nifi/logs 2>/dev/null | tail -150
grep -Rni 'WRITE\\|restricted-components\\|execute code\\|access policies' /opt/nifi/conf 2>/dev/null
find /opt/nifi/logs -type f -mtime -10 -name '*.log' -print 2>/dev/nullWhat to review
- NiFi version in every node. Mixed clusters can leave one node on affected code.
- Users and groups with process group write access, especially non-admin service accounts.
- Restricted component policies, Execute Code-style permissions, and extension bundles deployed in the cluster.
- Flow replacement, import, template, and versioned-flow actions near the advisory window.
Safe fix path
- Follow the Apache advisory and move NiFi to the fixed build for your branch. Verify the exact package and node binaries, not the UI banner alone.
- Temporarily restrict process group replacement to trusted administrators until the cluster is patched.
- Review authorizations, users, groups, and registry access before restoring normal write access.
- Preserve `nifi-app.log`, `nifi-user.log`, `nifi-bootstrap.log`, and flow registry logs before cleanup.
Repair help
Use Ping7 CVE Repair when a NiFi cluster has broad write access, restricted components are enabled, or the flow history needs review before production jobs resume.