CVE-2026-44913
Analyzed Analyzed - Analysis Complete

Improper SQL Injection in Apache NiFi CaptureChangeMySQL Processor

Vulnerability report for CVE-2026-44913, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-23

Assigner: Apache Software Foundation

Description

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-23
Generated
2026-07-12
AI Q&A
2026-06-22
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apache nifi From 1.2.0 (inc) to 2.10.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify how the CVE-2026-44913 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability affects Apache NiFi versions 1.2.0 through 2.9.0 specifically when using the CaptureChangeMySQL Processor. Detection involves verifying if your Apache NiFi installation uses this processor and if the version is within the vulnerable range.

To detect the vulnerability on your system, you can check the NiFi version and whether the CaptureChangeMySQL Processor is configured or in use.

  • Check Apache NiFi version: Run a command or check the NiFi UI to confirm the version is between 1.2.0 and 2.9.0.
  • Inspect NiFi flow configuration files or use the NiFi UI to identify if the CaptureChangeMySQL Processor is present.
  • No specific commands for detecting SQL injection attempts via this vulnerability are provided in the available resources.

The recommended mitigation is upgrading to Apache NiFi 2.10.0, which includes improved escaping to prevent this vulnerability.

Executive Summary

This vulnerability involves improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi versions 1.2.0 through 2.9.0. Because of this improper escaping, an attacker can inject SQL commands by crafting malicious table names. Although Apache NiFi 1.8.0 introduced manual quoted boundaries to reduce some injection options, it did not fully prevent all injection strategies. The vulnerability only affects installations using the CaptureChangeMySQL Processor.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary SQL commands through crafted database table names, potentially leading to unauthorized data access, data manipulation, or disruption of database operations. Such SQL injection attacks can compromise the integrity and confidentiality of data managed by Apache NiFi when using the vulnerable processor.

Mitigation Strategies

The recommended mitigation is to upgrade Apache NiFi to version 2.10.0, which incorporates more robust identifier escaping to prevent SQL injection via the CaptureChangeMySQL Processor.

Additionally, ensure that your Apache NiFi installation does not use the CaptureChangeMySQL Processor if upgrading immediately is not possible, as installations without this processor are not subject to this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44913. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart