CVE-2026-44913

Apache NiFi: Improper Escaping of Table Names in CaptureChangeMySQL

Assigner: apache
Reserved: 08.05.2026 Published: 22.06.2026 Updated: 22.06.2026

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/V:C/RE:L/U:Clear
CVSS Score: 5.2

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	High
Attack Complexity	High	Integrity	None	Integrity	High
Attack Requirements	Present	Availability	None	Availability	High
Privileges Required	High
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	Apache Software Foundation
Product	Apache NiFi
Versions	Default: unaffected affected from 1.2.0 to 2.9.0 (incl.)

Vendor

Apache Software Foundation

Product

Apache NiFi

Versions

Default: unaffected

affected from 1.2.0 to 2.9.0 (incl.)

Credits

Roberto Suggi Liverani from NATO Cyber Security Centre (NCSC) finder

References

Problem Types