CVE-2026-44913 | Improper escaping of database table names in the CaptureChan… | CVSS 5.2 MEDIUM

Description

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping.

Metadata

CVE ID: CVE-2026-44913
State: PUBLISHED
Assigner: apache
Reserved: 2026-05-08 04:15 UTC
Published: 2026-06-22 07:36 UTC
Last updated: 2026-06-22 12:28 UTC
Primary CWE: CWE-116
CWE-116 Improper Encoding or Escaping of Output
Vendor / Product: Apache Software Foundation / Apache NiFi
Sources: cve.org · NVD

Severity & Metrics

5.2 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/V:C/RE:L/U:Clear

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Apache Software Foundation	Apache NiFi	—	1.2.0 ≤ 2.9.0

Weakness (CWE)

CWE	Source	Description
CWE-116	cna	CWE-116 Improper Encoding or Escaping of Output

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.2	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/V:C/RE:L/U:Clear

References (1)

https://lists.apache.org/thread/c8vkt5rz4dqql6sjxgrr3zdkbt1sfmsl