CVE-2026-44913
Received Received - Intake
Improper SQL Injection in Apache NiFi CaptureChangeMySQL Processor

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: Apache Software Foundation

Description
Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-44913
EUVD
EUVD-2026-38217
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache nifi to 2.9.0 (inc)
apache nifi 2.10.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi versions 1.2.0 through 2.9.0. Because of this improper escaping, an attacker can inject SQL commands by crafting malicious table names. Although Apache NiFi 1.8.0 introduced manual quoted boundaries to reduce some injection options, it did not fully prevent all injection strategies. The vulnerability only affects installations using the CaptureChangeMySQL Processor.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary SQL commands through crafted database table names, potentially leading to unauthorized data access, data manipulation, or disruption of database operations. Such SQL injection attacks can compromise the integrity and confidentiality of data managed by Apache NiFi when using the vulnerable processor.

Mitigation Strategies

The recommended mitigation is to upgrade Apache NiFi to version 2.10.0, which incorporates more robust identifier escaping to prevent SQL injection via the CaptureChangeMySQL Processor.

Additionally, ensure that your Apache NiFi installation does not use the CaptureChangeMySQL Processor if upgrading immediately is not possible, as installations without this processor are not subject to this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44913. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart