CVE-2026-44913 MEDIUM

CVE-2026-44913: Apache NiFi: Improper Escaping of Table Names in CaptureChangeMySQL

Vendor Apache Software Foundation

Product Apache NiFi

Weakness CWE-116

Published June 22, 2026

Last update June 22, 2026

View on NVD All CVEs

CVSS base score

5.2/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/V:C/RE:L/U:Clear

What the vulnerability does

Description

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping.

Key dates

Disclosure timeline

June 22, 2026 CVE published

June 22, 2026 Record updated

Identifiers

CVE CVE-2026-44913

CWE CWE-116

CVSS 5.2 / MEDIUM

Affected versions

Vendor Apache Software Foundation

Product Apache NiFi

Affected ≥ 1.2.0 and ≤ 2.9.0