PatchSiren cyber security CVE debrief
CVE-2026-39816 Apache CVE debrief
CVE-2026-39816 is a high-severity authorization issue in Apache NiFi’s optional TinkerpopClientService. In affected NiFi versions, the service can be configured without the Restricted annotation that should require Execute Code permission. In environments using fine-grained authorization, that means a user who lacks Execute Code permission may still be able to configure the service if the optional graph-services NAR is installed. Apache recommends upgrading to NiFi 2.9.0. Systems that do not have nifi-other-graph-services-nar installed are not affected.
- Vendor
- Apache
- Product
- CVE-2026-39816
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-08
- Original CVE updated
- 2026-05-09
- Advisory published
- 2026-05-08
- Advisory updated
- 2026-05-09
Who should care
NiFi administrators, platform owners, and security teams running Apache NiFi 2.0.0-M1 through 2.8.0, especially deployments that use fine-grained authorization and include the optional nifi-other-graph-services-nar package. Review access control around service configuration and any environments where non-admin users can create or edit controller services.
Technical summary
The issue is a missing Restricted annotation on the optional TinkerpopClientService. That annotation should have enforced Execute Code Required Permission. Without it, the service can be configured by users who are not supposed to have Execute Code permission. The service supports ByteCode Submission for the Script Submission Type, which allows Groovy script execution in the service before the query is submitted. The vulnerable range is Apache NiFi 2.0.0-M1 through 2.8.0, and the NVD criteria indicate the issue is resolved in 2.9.0.
Defensive priority
High; prioritize immediately for any affected NiFi deployment that uses the optional graph-services component and fine-grained authorization.
Recommended defensive actions
- Upgrade Apache NiFi to 2.9.0 as recommended by the vendor.
- Confirm whether nifi-other-graph-services-nar is installed; if it is not installed, the system is not subject to this vulnerability.
- Review controller service permissions and verify that users without Execute Code permission cannot configure code-capable services.
- Audit NiFi authorization policies for any non-admin paths that can edit or enable services in affected environments.
- Track and validate the presence of the Apache vendor advisory and NVD entry in your vulnerability management workflow.
Evidence notes
This debrief is based on the supplied CVE description, the NVD modification record, and the Apache mailing-list vendor advisory reference. The source corpus states that TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission, that the affected NiFi versions are 2.0.0-M1 through 2.8.0, that the optional nifi-other-graph-services-nar package must be installed for exposure, and that upgrading to 2.9.0 is the recommended mitigation. Timing context uses the CVE published and modified timestamps provided in the source corpus.
Official resources
-
CVE-2026-39816 CVE record
CVE.org
-
CVE-2026-39816 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mailing List, Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
Publicly disclosed on 2026-05-08 and modified on 2026-05-09 in the supplied CVE record.