Description
Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping.
Published: 2026-06-22
Score: 5.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CaptureChangeMySQL processor in Apache NiFi versions 1.2.0 through 2.9.0 fails to properly escape database table names used in constructing SQL statements. This flaw allows an attacker to craft table names that inject arbitrary SQL commands into the statements generated by the processor. If the NiFi instance runs with database credentials that have high privileges, the attacker could potentially alter data, read sensitive information, or disrupt database operations.

Affected Systems

Apache NiFi versions 1.2.0 through 2.9.0 that employ the CaptureChangeMySQL processor. Systems that do not use this processor are not affected. Upgrading to 2.10.0 or later fixes the issue.

Risk and Exploitability

The CVSS score of 5.2 indicates a medium severity vulnerability. The EPSS score is not available, so the current likelihood of exploitation is unclear. It is not listed in the CISA KEV catalog. Because the injection occurs through the CaptureChangeMySQL processor, an attacker would need to influence the processor configuration or the data that triggers it. If the NiFi instance is exposed to untrusted input or allows users to specify table names, the attack could be launched remotely; otherwise, the attack vector is more limited to local or privileged users.

Generated by OpenCVE AI on June 22, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache NiFi to version 2.10.0 or newer, which implements proper identifier escaping in CaptureChangeMySQL.
  • Eliminate or restrict deployment of the CaptureChangeMySQL processor in production flows unless it is absolutely required.
  • If an upgrade is delayed, ensure that any table name inputs are validated and sanitized before being supplied to the processor, and consider disabling access to NiFi API endpoints that allow configuration changes from untrusted users.

Generated by OpenCVE AI on June 22, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache nifi
Vendors & Products Apache
Apache nifi

Mon, 22 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping.
Title Apache NiFi: Improper Escaping of Table Names in CaptureChangeMySQL
Weaknesses CWE-116
References
Metrics cvssV4_0

{'score': 5.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/V:C/RE:L/U:Clear'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-22T12:28:41.736Z

Reserved: 2026-05-08T04:15:35.890Z

Link: CVE-2026-44913

cve-icon Vulnrichment

Updated: 2026-06-22T08:02:02.473Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T11:00:05Z

Weaknesses
  • CWE-116

    Improper Encoding or Escaping of Output