Primary

Context

Apache NiFi TinkerpopClientService Missing Execute Code Permission Vulnerability

Vulnerability

Patched

A vulnerability exists in the optional TinkerpopClientService component of Apache NiFi versions 2.0.0-M1 through 2.8.0. The issue arises because the component lacks the Restricted annotation required for Execute Code Permission. This omission allows users without the necessary permission to configure the service in environments with fine-grained authorization, potentially enabling unauthorized execution of Groovy scripts before query submission. The vulnerability does not affect Apache NiFi installations without the nifi-other-graph-services-nar component.

Impact

Exploitation of this vulnerability could lead to unauthorized configuration of the TinkerpopClientService, allowing users without Execute Code Permission to execute Groovy scripts inappropriately.

Remediation

Users are advised to upgrade to Apache NiFi version 2.9.0.

Added: May 8, 2026, 5:29 PM

Updated: May 8, 2026, 5:29 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

4.8

remediation

7.7

relevance

7.8

threat

0.0

urgency

1.4

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

4.8

remediation

7.7

relevance

7.8

threat

0.0

urgency

1.4

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache NiFi TinkerpopClientService Missing Execute Code Permission Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Apache NiFi

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating