CVE-2026-44913
HighCVSS 7.2Exploitation Probability (EPSS)
Low risk17th percentile - higher than 17% of all known CVEs
Summary
Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi versions 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies.
Risk Assessment
Organizations using vulnerable versions of Apache NiFi may be exposed to SQL injection attacks, potentially leading to unauthorized access to or modification of data.
Recommendation
Upgrading to Apache NiFi version 2.10.0 is recommended, which incorporates more robust identifier escaping.
Original NVD description (English source)
Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping.

