CVE-2026-44913

Vulnerability Description

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping.

Vulnerability Details

Published Date

June 22, 2026

Last Modified

June 22, 2026

CWE ID

CWE-116

Source

NVD

Vendor

Apache Software Foundation

Product

Apache NiFi

External References

https://lists.apache.org/thread/c8vkt5rz4dqql6sjxgrr3zdkbt1sfmsl
http://www.openwall.com/lists/oss-security/2026/06/20/5

CVE-2026-44913

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment