Apache NiFi: Improper Escaping of Table Names in CaptureChangeMySQL

5.2 / 10

MEDIUM

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/V:C/RE:L/U:Clear

Description

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping.

Basic Information

ID CVE-2026-44913

Source apache

Published Jun 22, 2026 at 07:36

Affected Product

Vendor Apache Software Foundation

Product Apache NiFi

Version 1.2.0

Affected Versions Apache Software Foundation Apache NiFi 1.2.0

CWE Classification

CWE-116

References

lists.apache.org /thread/c8vkt5rz4dqql6sjxgrr3zdkbt1sfmsl

{
    "lastseen": "",
    "description": "Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping.",
    "published": "2026-06-22T07:36:40.885Z",
    "modified": "2026-06-22T07:36:40.885Z",
    "type": "cve",
    "title": "Apache NiFi: Improper Escaping of Table Names in CaptureChangeMySQL",
    "source": "apache",
    "references": "https://lists.apache.org/thread/c8vkt5rz4dqql6sjxgrr3zdkbt1sfmsl",
    "id": "CVE-2026-44913",
    "bulletinFamily": "",
    "cwe": [
        "CWE-116"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache NiFi 1.2.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.2,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/V:C/RE:L/U:Clear",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache NiFi",
    "version": "1.2.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache NiFi: Improper Escaping of Table Names in CaptureChangeMySQL_CVE-2026-44913