CVE-2026-44913: CWE-116 Improper Encoding or Escaping of Output in Apache Software Foundation Apache NiFi
Apache NiFi versions 1.2.0 through 2.9.0 have a vulnerability in the CaptureChangeMySQL Processor where improper escaping of database table names allows injection of SQL commands. Although partial mitigation was introduced in version 1.8.0 by adding manual quoted boundaries, it did not fully prevent injection. Upgrading to Apache NiFi 2.10.0 is recommended to address this issue with improved identifier escaping.
AI Analysis
Technical Summary
CVE-2026-44913 describes a vulnerability in Apache NiFi's CaptureChangeMySQL Processor affecting versions 1.2.0 through 2.9.0. The issue stems from improper escaping or encoding of database table names, enabling crafted names to inject SQL commands. While Apache NiFi 1.8.0 introduced manual quoted boundaries to reduce injection vectors, these measures were incomplete. The vulnerability does not affect NiFi installations that do not use this processor. The recommended remediation is upgrading to version 2.10.0, which includes more robust escaping of identifiers to prevent injection.
Potential Impact
Successful exploitation could allow an attacker with appropriate privileges to inject SQL commands via crafted database table names in the CaptureChangeMySQL Processor. This could lead to unauthorized database operations or data manipulation within the scope of the processor's access. The CVSS 4.0 base score is 5.2 (medium severity), reflecting the requirement for high privileges and user interaction, and the complexity of the attack.
Mitigation Recommendations
Upgrade Apache NiFi to version 2.10.0 or later, which includes improved escaping of database identifiers in the CaptureChangeMySQL Processor. This is the recommended and effective mitigation. No other official fixes or temporary workarounds are documented. Installations not using the CaptureChangeMySQL Processor are not affected and require no action related to this vulnerability.
CVE-2026-44913: CWE-116 Improper Encoding or Escaping of Output in Apache Software Foundation Apache NiFi
Description
Apache NiFi versions 1.2.0 through 2.9.0 have a vulnerability in the CaptureChangeMySQL Processor where improper escaping of database table names allows injection of SQL commands. Although partial mitigation was introduced in version 1.8.0 by adding manual quoted boundaries, it did not fully prevent injection. Upgrading to Apache NiFi 2.10.0 is recommended to address this issue with improved identifier escaping.
CVSS v4.0
Score 5.2medium
Affected software
pkg:maven/Apache Software Foundation/org.apache.nifi:nifi-cdc-mysql-processorsRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-44913 describes a vulnerability in Apache NiFi's CaptureChangeMySQL Processor affecting versions 1.2.0 through 2.9.0. The issue stems from improper escaping or encoding of database table names, enabling crafted names to inject SQL commands. While Apache NiFi 1.8.0 introduced manual quoted boundaries to reduce injection vectors, these measures were incomplete. The vulnerability does not affect NiFi installations that do not use this processor. The recommended remediation is upgrading to version 2.10.0, which includes more robust escaping of identifiers to prevent injection.
Potential Impact
Successful exploitation could allow an attacker with appropriate privileges to inject SQL commands via crafted database table names in the CaptureChangeMySQL Processor. This could lead to unauthorized database operations or data manipulation within the scope of the processor's access. The CVSS 4.0 base score is 5.2 (medium severity), reflecting the requirement for high privileges and user interaction, and the complexity of the attack.
Mitigation Recommendations
Upgrade Apache NiFi to version 2.10.0 or later, which includes improved escaping of database identifiers in the CaptureChangeMySQL Processor. This is the recommended and effective mitigation. No other official fixes or temporary workarounds are documented. Installations not using the CaptureChangeMySQL Processor are not affected and require no action related to this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-05-08T04:15:35.890Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a38edaaeed863c81e7bf7ba
Added to database: 06/22/2026, 08:09:14 UTC
Last enriched: 06/22/2026, 08:24:28 UTC
Last updated: 06/22/2026, 08:54:07 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.