Nifi CVE Vulnerabilities
By Apache — 2 known vulnerabilities
Critical
0
High
2
Medium
0
Low
0
None
0
All Nifi CVEs
CVE-2026-39816
8.8
high
The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy Scrip
May 8, 2026
CVE-2025-66524
8.8
high
Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without filt
Dec 19, 2025