CVE-2026-44913

EUVD-2026-38217

22.06.2026, 08:17

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-116 - Improper Encoding or Escaping of Output
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Vulnerability Media Exposure

[GERMAN] Apache Nifi: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in Apache Nifi ausnutzen, um Dateien und Daten zu manipulieren, um einen SQL-Injection Angriff durchzuführen, und um Sicherheitsvorkehrungen zu umgehen.
Published: 2026-06-21T22:00:00+00:00

References

https://lists.apache.org/thread/c8vkt5rz4dqql6sjxgrr3zdkbt1sfmsl

http://www.openwall.com/lists/oss-security/2026/06/20/5