CVE-2026-44913

MEDIUM EPSS 30.4%

Published Jun 22, 20261w ago · Modified Jun 23, 20266d ago

5.2 CVSS 4.0

Medium

Published Jun 22, 2026 1w ago

Last Modified Jun 23, 2026 6d ago

Description

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping.

CVSS Details

Base Score

5.2

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:L/U:Clear

Attack Vector Network

Attack Complexity High

Privileges Required High

User Interaction P

Scope P

Threat Intelligence

EPSS Exploit Probability

30.4% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-116

Affected Products 1

Vendor	Product	Version	Range
apache	nifi	*	≥1.2.0 – <2.10.0

References 2

openwall.com http://www.openwall.com/lists/oss-security/2026/06/20/5

Third Party AdvisoryMailing List
lists.apache.org https://lists.apache.org/thread/c8vkt5rz4dqql6sjxgrr3zdkbt1sfmsl

Vendor AdvisoryMailing List

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.