CVE-2026-39816 Overview
CVE-2026-39816 affects the optional TinkerpopClientService extension component in Apache NiFi 2.0.0-M1 through 2.8.0. The component lacks the Restricted annotation that enforces the Execute Code permission requirement. Users without Execute Code permission can configure the service in installations using fine-grained authorization. The TinkerpopClientService supports ByteCode Submission for its Script Submission Type, enabling Groovy script execution before query submission. This allows an authenticated user to bypass authorization controls and execute arbitrary code on the NiFi host. Only installations with the nifi-other-graph-services-nar bundle deployed are affected. The vulnerability maps to [CWE-862] Missing Authorization.
Critical Impact
Authenticated NiFi users without Execute Code permission can run arbitrary Groovy scripts on the server, leading to privilege escalation and remote code execution.
Affected Products
- Apache NiFi 2.0.0-M1 through 2.8.0 (with nifi-other-graph-services-nar installed)
- Deployments using fine-grained authorization policies
- Installations exposing the TinkerpopClientService extension
Discovery Timeline
- 2026-05-08 - CVE-2026-39816 published to NVD
- 2026-05-09 - Last updated in NVD database
Technical Details for CVE-2026-39816
Vulnerability Analysis
Apache NiFi enforces sensitive operations through the Restricted annotation combined with specific permissions such as Execute Code. Components carrying this annotation require the requesting user to hold the matching permission before configuration is allowed. The TinkerpopClientService omits this annotation despite supporting code execution paths. Operators relying on fine-grained authorization assume that only privileged users can configure code-executing components. This assumption breaks for the affected service, granting lower-privileged users access to a code execution primitive.
Root Cause
The root cause is missing authorization metadata on the TinkerpopClientService class. The Execute Code Required permission gate that NiFi applies to scriptable components is never triggered because the annotation is absent. NiFi's authorization framework checks annotations at configuration time, so the absent decorator removes the enforcement step entirely.
Attack Vector
An attacker authenticates to a vulnerable NiFi instance with permissions to create or modify controller services but without the Execute Code permission. The attacker configures a TinkerpopClientService instance and sets the Script Submission Type to ByteCode Submission. The attacker supplies a Groovy script that runs on the NiFi process before any graph query executes. The script inherits the NiFi service account context and can read secrets, modify flows, or pivot to other systems. Refer to the Apache Mailing List Thread and the ZeroPath Blog on CVE-2026-39816 for additional technical context.
No public exploit code or proof-of-concept has been verified for this issue. The vulnerability mechanism is documented in the linked advisories above without sanitized exploitation code.
Detection Methods for CVE-2026-39816
Indicators of Compromise
- Creation or modification of TinkerpopClientService controller service instances by users lacking Execute Code permission
- TinkerpopClientService configurations where Script Submission Type is set to ByteCode Submission with embedded Groovy code
- Unexpected child processes or outbound network connections originating from the NiFi JVM process
- New or modified entries in NiFi flow definitions referencing nifi-other-graph-services-nar components
Detection Strategies
- Audit NiFi access logs for controller service create or update events targeting TinkerpopClientService
- Correlate user permission assignments with controller service configuration events to identify authorization mismatches
- Inspect NiFi flow.json.gz or flow definition exports for TinkerpopClientService entries containing Groovy script payloads
- Monitor the NiFi host for process execution chains spawned by the NiFi service account
Monitoring Recommendations
- Forward NiFi user audit logs to a centralized SIEM and alert on controller service configuration changes
- Track installation of the nifi-other-graph-services-nar bundle across NiFi clusters
- Baseline normal Groovy and graph query activity to flag deviations
- Alert on NiFi service account command execution beyond expected dataflow operations
How to Mitigate CVE-2026-39816
Immediate Actions Required
- Upgrade Apache NiFi to version 2.9.0 or later, which restores the Restricted annotation enforcement
- Inventory NiFi installations for the presence of nifi-other-graph-services-nar and prioritize patching those hosts
- Review current users and groups granted access to controller service configuration and remove unnecessary permissions
- Audit existing TinkerpopClientService instances for unauthorized Groovy script content
Patch Information
Apache recommends upgrading to Apache NiFi 2.9.0. The fix adds the Restricted annotation with the Execute Code Required permission to the TinkerpopClientService component. Details are published in the Apache Mailing List Thread and the Openwall OSS-Security Post.
Workarounds
- Remove the nifi-other-graph-services-nar bundle from the NiFi lib directory if Tinkerpop functionality is not required
- Restrict controller service creation and modification permissions to users who already hold Execute Code permission
- Disable fine-grained authorization bypasses by enforcing single-tier admin policies until upgrade is complete
# Remove the optional graph services bundle to eliminate exposure
cd $NIFI_HOME/lib
mv nifi-other-graph-services-nar-*.nar /tmp/quarantine/
# Restart NiFi to apply the change
$NIFI_HOME/bin/nifi.sh restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
