CVE-2026-39816

HIGH

8.8

Descricao

The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy Script execution in the service prior to submitting the query. The missing Restricted annotation allows users without the Execute Code Permission to configure the Service in installations that use fine-grained authorization and have the optional TinkerpopClientService installed. Apache NiFi installations that do not have the nifi-other-graph-services-nar installed are not subject to this vulnerability. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation.

Detalhes CVE

Pontuacao CVSS v3.18.8

SeveridadeHIGH

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosLOW

Interacao do usuarioNONE

Publicado5/8/2026

Ultima modificacao5/9/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

apache:nifi

Fraquezas (CWE)

CWE-862

Referencias

https://lists.apache.org/thread/gh9g7xwvv4l20gzff6q3367snf35ctcb(security@apache.org)

http://www.openwall.com/lists/oss-security/2026/04/13/8(af854a3a-2127-422b-91ae-364da2661108)

https://zeropath.com/blog/nifi-cve-2026-39816-privesc-rce(af854a3a-2127-422b-91ae-364da2661108)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.