SQL Injection Vulnerability in Apache NiFi's CaptureChangeMySQL Processor
CVE-2026-44913

5.2MEDIUM

Key Information:

Vendor: Apache
Status: Apache Nifi
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-44913?

The CaptureChangeMySQL Processor in Apache NiFi, versions 1.2.0 to 2.9.0, is susceptible to SQL injection due to improper escaping of database table names. This vulnerability permits attackers to inject malicious SQL commands through crafted naming conventions. Although the implementation of manual quoted boundaries in version 1.8.0 improved security, it remains insufficient against various injection strategies. Users of Apache NiFi who do not employ the CaptureChangeMySQL Processor are not affected. Upgrading to version 2.10.0 is recommended to benefit from enhanced identifier escaping functionalities.

Affected Version(s)

Apache NiFi 1.2.0 <= 2.9.0

References

https://lists.apache.org/thread/c8vkt5rz4dqql6sjxgrr3zdkb...

vendor-advisory

CVSS V4

Score:

5.2

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
May 8, 2026

Credit

Roberto Suggi Liverani from NATO Cyber Security Centre (NCSC)

CVE-2026-44913 Data

JSON