Privilege Escalation Vulnerability in Apache StreamPipes (CVE-2025-47411)
A critical privilege escalation vulnerability, tracked as CVE-2025-47411, was discovered in Apache StreamPipes versions 0.69.0 through 0.97.0. The flaw allows legitimate non-administrator users to manipulate JWT tokens and escalate their privileges by swapping their username for an existing administrator account, thereby gaining full administrative control of the application. This vulnerability stems from a flawed user ID creation mechanism and poses significant risks, as attackers can bypass access controls without advanced technical skills or external tools.
Once administrative access is obtained, attackers can access sensitive data, modify system configurations, and potentially compromise the entire data streaming infrastructure. The vulnerability is particularly concerning for organizations using StreamPipes to process proprietary or operational data, and it introduces supply chain risks if integrated with critical business systems. Apache has addressed the issue by releasing version 0.98.0, urging all affected users to update immediately to mitigate the risk.
Timeline
Dec 31, 2025
Public reporting warns PoC exploits are circulating
Public reports stated that proof-of-concept exploit details for CVE-2025-47411 were already circulating, increasing the risk of real-world exploitation. Coverage emphasized the flaw's low complexity and the potential for unauthorized data access and system compromise.
Dec 31, 2025
Apache releases StreamPipes 0.98.0 to fix CVE-2025-47411
Apache released StreamPipes version 0.98.0 to address CVE-2025-47411, a flaw that let non-admin users escalate privileges to full admin access. Organizations were advised to upgrade immediately and review deployments for possible exposure.
Dec 31, 2025
Mantel Group researcher responsibly discloses CVE-2025-47411
Darren Xuan of Mantel Group responsibly disclosed a critical privilege-escalation flaw in Apache StreamPipes, tracked as CVE-2025-47411. The vulnerability affects versions 0.69.0 through 0.97.0 and allows standard users to gain administrative control by manipulating JWT tokens.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Critical Hard-Coded Encryption Key Vulnerability in Apache StreamPark
A critical vulnerability, tracked as CVE-2025-54947, was discovered in Apache StreamPark, a widely used stream-processing platform. The flaw arises from the use of a hard-coded encryption key and insecure AES ECB mode, allowing attackers to decrypt sensitive data, forge authentication tokens, and potentially gain unauthorized access to affected systems. The vulnerability impacts versions 2.0.0 through 2.1.7, exposing organizations to significant risks of information disclosure and privilege escalation if left unpatched. The Apache StreamPark development team has addressed the issue by releasing version 2.1.7, which eliminates the hard-coded key vulnerability. Security experts strongly advise organizations to upgrade to the latest version immediately and conduct thorough security audits of their StreamPark deployments to identify and mitigate any potential compromise resulting from this flaw. Failure to patch could allow threat actors to manipulate system behavior or escalate privileges within enterprise environments relying on StreamPark for real-time data processing.
1 months ago
Privilege Escalation Vulnerabilities in Splunk Enterprise and Universal Forwarder for Windows
Splunk has disclosed two high-severity vulnerabilities, CVE-2025-20386 and CVE-2025-20387, affecting its Enterprise and Universal Forwarder products on Windows platforms. These flaws arise from incorrect NTFS file permissions set during installation and upgrades, allowing non-administrator users to access, modify, or overwrite sensitive files within the Splunk installation directories. The vulnerabilities enable local privilege escalation, potentially allowing attackers or compromised users to gain administrative access, alter configurations, or execute malicious code under elevated privileges. No active exploitation has been reported, but the risk remains significant for unpatched systems. The vulnerabilities impact both new installations and upgrades, with affected directories containing executable binaries, configuration files, and scripts critical to Splunk's operation. Attackers with local access could replace binaries, modify configuration files, inject malicious startup scripts, or hijack supporting executables, leading to full system compromise. Splunk has released patched versions (10.0.2, 9.4.6, 9.3.8, and 9.2.10) and strongly advises customers to upgrade immediately to mitigate these risks and prevent potential privilege escalation attacks.
1 months ago
Apache NiFi Authorization Bypass in Restricted Component Updates (CVE-2026-25903)
**Apache NiFi** disclosed a high-severity authorization flaw, tracked as **CVE-2026-25903**, that allows a lower-privileged user to modify configuration properties of *Restricted* extension components after they have been added to a flow by a more privileged user. The issue affects NiFi versions **1.1.0 through 2.7.2** and stems from **missing authorization checks** during component property updates: the framework enforced the extra privileges required to *add* a Restricted component, but did not consistently re-check the component’s restricted status when *updating* it, enabling an authorization bypass (CWE-862). Potential impact includes tampering with dataflow logic and, depending on the component and environment, enabling unsafe actions such as triggering sensitive operations or altering processing behavior. Risk is conditional on deployments that implement distinct authorization levels for Restricted components; installations that do **not** differentiate authorization levels are described as not subject to this specific bypass because standard write permissions remain the effective security boundary. **Upgrading to NiFi 2.8.0** is the recommended mitigation, and the issue was reported via responsible disclosure (credited to **David Handermann** in reporting). CVE records also reference public advisories and include a **CVSS v4.0** vector indicating network reachability and high potential impact, while noting prerequisites such as the need for a privileged user to have already introduced the Restricted component into the flow.
1 months ago