Apache Nifi
7 CVEs affecting Apache Nifi. Latest disclosed: 2026-05-08. Critical: 1, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2017-5636 | Critical | 9.8 | 2017-10-19 | In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack w… |
CVE-2026-39816 | High | 8.8 | 2026-05-08 | The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1… |
CVE-2017-5635 | High | 7.5 | 2017-10-19 | In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node ide… |
CVE-2017-7667 | High | 7.5 | 2017-06-12 | Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin. |
CVE-2017-12623 | Medium | 6.5 | 2017-10-10 | An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to prop… |
CVE-2017-7665 | Medium | 6.1 | 2017-06-12 | In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but we… |
CVE-2016-8748 | Medium | 5.4 | 2017-10-19 | In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized u… |