Description
Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping.
Published: 2026-06-22
Score: 5.2 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CaptureChangeMySQL processor in Apache NiFi versions 1.2.0 through 2.9.0 fails to properly escape database table names used in constructing SQL statements. This flaw allows an attacker to craft table names that inject arbitrary SQL commands into the statements generated by the processor. If the NiFi instance runs with database credentials that have high privileges, the attacker could potentially alter data, read sensitive information, or disrupt database operations.

Affected Systems

Apache NiFi versions 1.2.0 through 2.9.0 that employ the CaptureChangeMySQL processor. Systems that do not use this processor are not affected. Upgrading to 2.10.0 or later fixes the issue.

Risk and Exploitability

The CVSS score of 5.2 indicates a medium severity vulnerability. The EPSS score is not available, so the current likelihood of exploitation is unclear. It is not listed in the CISA KEV catalog. Because the injection occurs through the CaptureChangeMySQL processor, an attacker would need to influence the processor configuration or the data that triggers it. If the NiFi instance is exposed to untrusted input or allows users to specify table names, the attack could be launched remotely; otherwise, the attack vector is more limited to local or privileged users.

Generated by OpenCVE AI on June 22, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache NiFi to version 2.10.0 or newer, which implements proper identifier escaping in CaptureChangeMySQL.
  • Eliminate or restrict deployment of the CaptureChangeMySQL processor in production flows unless it is absolutely required.
  • If an upgrade is delayed, ensure that any table name inputs are validated and sanitized before being supplied to the processor, and consider disabling access to NiFi API endpoints that allow configuration changes from untrusted users.

Generated by OpenCVE AI on June 22, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping.
Title Apache NiFi: Improper Escaping of Table Names in CaptureChangeMySQL
Weaknesses CWE-116
References
Metrics cvssV4_0

{'score': 5.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/V:C/RE:L/U:Clear'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-22T08:02:02.473Z

Reserved: 2026-05-08T04:15:35.890Z

Link: CVE-2026-44913

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T09:30:16Z

Weaknesses
  • CWE-116

    Improper Encoding or Escaping of Output