CVE-2026-44913
Last modified
CVE-2026-44913 is a medium-severity vulnerability rated 5.2/10 on the CVSS scale. Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. EPSS estimates a 0.39% chance of exploitation in the next 30 days.
Description
Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:L/U:Clear
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Nifi | >= 1.2.0, < 2.10.0 |
References
- https://lists.apache.org/thread/c8vkt5rz4dqql6sjxgrr3zdkbt1sfmslVendor Advisory, Mailing List
- http://www.openwall.com/lists/oss-security/2026/06/20/5Third Party Advisory, Mailing List
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-44913?
How severe is CVE-2026-44913?
How do I fix CVE-2026-44913?
Are you affected by CVE-2026-44913?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST