CVE-2026-39816

Apache NiFi: Missing Execute Code Required Permission on TinkerpopClientService

CVSS 7.5 HIGHEPSS 0.8%CWE-862

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 7.5EPSS 0.8%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

28 abr 2026PoC pública

08 mai 2026Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy Script execution in the service prior to submitting the query. The missing Restricted annotation allows users without the Execute Code Permission to configure the Service in installations that use fine-grained authorization and have the optional TinkerpopClientService installed. Apache NiFi installations that do not have the nifi-other-graph-services-nar installed are not subject to this vulnerability. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation.

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/AU:Y/R:I/V:C/RE:L/U:Green

Produtos afetados

Apache Software Foundation · Apache NiFi

PoCs públicas encontradas — 1

githubgithub.com/ZeroPathAI/nifi-CVE-2026-39816-poc★ 1

⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://lists.apache.org/thread/gh9g7xwvv4l20gzff6q3367snf35ctcb https://zeropath.com/blog/nifi-cve-2026-39816-privesc-rce http://www.openwall.com/lists/oss-security/2026/04/13/8