Home

Description

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping.

PUBLISHED Reserved 2026-05-08 | Published 2026-06-22 | Updated 2026-06-22 | Assigner apache




MEDIUM: 5.2CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/V:C/RE:L/U:Clear

Problem types

CWE-116 Improper Encoding or Escaping of Output

Product status

Default status
unaffected

1.2.0 (semver)
affected

Timeline

2026-04-27:reported

Credits

Roberto Suggi Liverani from NATO Cyber Security Centre (NCSC) finder

References

www.openwall.com/lists/oss-security/2026/06/20/5

lists.apache.org/thread/c8vkt5rz4dqql6sjxgrr3zdkbt1sfmsl vendor-advisory

cve.org (CVE-2026-44913)

nvd.nist.gov (CVE-2026-44913)

Download JSON