Every CVE whose affected-product data names Apache Nifi, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2018-1309 — CVSS 9.8 (critical): Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code…
CVE-2017-5636 — CVSS 9.8 (critical): In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to…
CVE-2017-15697 — CVSS 9.8 (critical): A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code…
CVE-2022-33140 — CVSS 8.8 (high): The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments…
CVE-2019-12421 — CVSS 8.8 (high): When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the…
CVE-2023-36542 — CVSS 8.8 (high): Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which…
CVE-2023-34468 — CVSS 8.8 (high): The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and…
CVE-2026-39816 — CVSS 8.8 (high): The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in…
CVE-2025-66524 — CVSS 8.8 (high): Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache…
CVE-2021-20190 — CVSS 8.1 (high): A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The…
CVE-2023-49145 — CVSS 7.9 (high): Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is…
CVE-2020-9487 — CVSS 7.5 (high): In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a…
CVE-2017-12632 — CVSS 7.5 (high): A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host…
CVE-2017-5635 — CVSS 7.5 (high): In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the…
CVE-2017-7667 — CVSS 7.5 (high): Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same…
CVE-2018-1310 — CVSS 7.5 (high): Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See…
CVE-2018-17194 — CVSS 7.5 (high): When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On…
CVE-2018-17195 — CVSS 7.5 (high): The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle…
CVE-2020-1942 — CVSS 7.5 (high): In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor…
CVE-2020-9486 — CVSS 7.5 (high): In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. When a…
CVE-2020-9491 — CVSS 7.5 (high): In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by…
CVE-2022-29265 — CVSS 7.5 (high): Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The…
CVE-2023-22832 — CVSS 7.5 (high): The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow…
CVE-2019-10086 — CVSS 7.3 (high): In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to…
CVE-2026-44914 — CVSS 7.2 (high): Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific…
CVE-2026-44913 — CVSS 7.2 (high): Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for…
CVE-2026-25903 — CVSS 6.6 (medium): Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific…
CVE-2017-12623 — CVSS 6.5 (medium): An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE)…
CVE-2021-44145 — CVSS 6.5 (medium): In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included…
CVE-2019-10080 — CVSS 6.5 (medium): The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file…
CVE-2023-34212 — CVSS 6.5 (medium): The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through…
CVE-2018-17192 — CVSS 6.5 (medium): The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some…
CVE-2023-40037 — CVSS 6.5 (medium): Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL…
CVE-2025-27017 — CVSS 6.5 (medium): Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that…
CVE-2026-44911 — CVSS 6.3 (medium): Authorization handling for component configuration verification requests in Apache NiFi 1.15.0 through 2.9.0 allows clients with read…
CVE-2018-17193 — CVSS 6.1 (medium): The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected…
CVE-2020-1933 — CVSS 6.1 (medium): A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware…
CVE-2017-7665 — CVSS 6.1 (medium): In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms…
CVE-2020-13940 — CVSS 5.5 (medium): In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed…
CVE-2024-56512 — CVSS 5.4 (medium): Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services…
CVE-2016-8748 — CVSS 5.4 (medium): In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when…
CVE-2020-1928 — CVSS 5.3 (medium): An information disclosure vulnerability was found in Apache NiFi 1.10.0. The sensitive parameter parser would log parsed values for…
CVE-2019-10083 — CVSS 5.3 (medium): When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the…
CVE-2026-54665 — CVSS 5.3 (medium): Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the…
CVE-2020-27223 — CVSS 5.2 (medium): In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple…
CVE-2017-15703 — CVSS 5.0 (medium): Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and…
CVE-2024-52067 — CVSS 4.9 (medium): Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Parameter Context values during the flow…
CVE-2024-45477 — CVSS 4.6 (medium): Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context…
CVE-2024-37389 — CVSS 4.6 (medium): Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is…
CVE-2022-26850 — CVSS 4.3 (medium): When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the…