CVE Catalog

CVE-2026-44913

HighCVSS 7.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile - higher than 17% of all known CVEs

Summary

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi versions 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies.

Risk Assessment

Organizations using vulnerable versions of Apache NiFi may be exposed to SQL injection attacks, potentially leading to unauthorized access to or modification of data.

Recommendation

Upgrading to Apache NiFi version 2.10.0 is recommended, which incorporates more robust identifier escaping.

Original NVD description (English source)

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS