Apache NiFi: Improper Escaping of Table Names in CaptureChangeMySQL
Summary
| CVE | CVE-2026-44913 |
|---|---|
| State | PUBLISHED |
| Assigner | apache |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-22 08:17:05 UTC |
| Updated | 2026-06-23 19:53:00 UTC |
| Description | Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping. |
Risk And Classification
Primary CVSS: v4.0 5.2 MEDIUM from [email protected]
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:L/U:Clear
EPSS: 0.003850000 probability, percentile 0.303900000 (date 2026-06-28)
Problem Types: CWE-116 | CWE-116 CWE-116 Improper Encoding or Escaping of Output
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 5.2 | MEDIUM | CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/C... |
| 4.0 | CNA | CVSS | 5.2 | MEDIUM | CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/S:P/A... |
| 3.1 | [email protected] | Primary | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
HighAttack Requirements
PresentPrivileges Required
HighUser Interaction
PassiveConfidentiality
NoneIntegrity
NoneAvailability
NoneSub Conf.
HighSub Integrity
HighSub Availability
HighCVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:L/U:Clear
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
HighUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Apache Software Foundation | Apache NiFi | affected 1.2.0 2.9.0 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.openwall.com/lists/oss-security/2026/06/20/5 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Third Party Advisory, Mailing List |
| lists.apache.org/thread/c8vkt5rz4dqql6sjxgrr3zdkbt1sfmsl | [email protected] | lists.apache.org | Vendor Advisory, Mailing List |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Roberto Suggi Liverani from NATO Cyber Security Centre (NCSC) (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-04-27T07:00:00.000Z | reported |
There are currently no legacy QID mappings associated with this CVE.