Skip to main content

Apache NiFi CVE-2026-44913

| EUVDEUVD-2026-38217 MEDIUM
Improper Encoding or Escaping of Output (CWE-116)
5.2
CVSS 4.0 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
5.2 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:L/U:Clear
vuln.today AI
9.9 CRITICAL

Attacker needs network-reachable MySQL with low-privilege CREATE TABLE access; scope change applies because injected SQL executes under NiFi's service account, crossing the security boundary of the vulnerable component.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:L/U:Clear
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
P
Scope
P

Lifecycle Timeline

2
CVSS changed
Jun 22, 2026 - 08:22 NVD
5.2 (MEDIUM)
Analysis Generated
Jun 22, 2026 - 06:24 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

SQL injection via improperly escaped MySQL table names in Apache NiFi's CaptureChangeMySQL Processor (versions 1.2.0 through 2.9.0) allows an attacker with MySQL CREATE TABLE access in a monitored database to inject arbitrary SQL commands executed under NiFi's MySQL service credentials. A partial mitigation introduced in 1.8.0 added manual quoted boundaries that narrowed - but did not eliminate - the injection surface; the root flaw persisted for years until full remediation in 2.10.0. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker obtains low-privilege MySQL CREATE TABLE access in monitored schema
Delivery
Creates table with SQL-injecting identifier in name
Exploit
NiFi CaptureChangeMySQL Processor ingests CDC binary log event for crafted table
Execution
Processor interpolates unsanitized table name into metadata SQL query
Persist
Injected SQL executes under NiFi's MySQL service account credentials
Impact
Unauthorized data read or modification within NiFi's MySQL privilege scope

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following concurrent conditions: (1) an Apache NiFi instance with at least one CaptureChangeMySQL Processor actively deployed and enabled in a running data flow - installations without this processor are entirely unexposed; (2) the attacker must possess MySQL credentials with sufficient privileges to CREATE TABLE in a schema that is actively monitored by that NiFi processor; (3) NiFi must hold CDC-level MySQL access (REPLICATION CLIENT and REPLICATION SLAVE) to the target MySQL instance so that binary log events for the crafted table are consumed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector or EPSS score is available from any source in this dataset, requiring all metric assessments to be inferred from the description, JIRA metadata, and contextual signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding a low-privileged MySQL account in a schema monitored by an active NiFi CaptureChangeMySQL Processor creates a table whose name contains SQL metacharacters designed to break out of the identifier context - for example, a backtick-escaped sequence followed by injected SQL statements. When NiFi's processor next polls the MySQL binary log and encounters the CDC event for that table, it constructs a metadata SQL query by interpolating the raw table name, causing the injected fragment to execute under NiFi's MySQL service credentials. …
Remediation Upgrade to Apache NiFi 2.10.0, the vendor-released patch that incorporates robust SQL identifier escaping in the CaptureChangeMySQL Processor, as confirmed by JIRA NIFI-15905 (resolved 2026-05-05, Fix Version 2.10.0) at https://issues.apache.org/jira/browse/NIFI-15905 and implemented via GitHub PR #11206. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all NiFi deployments running versions 1.2.0-2.9.0 with CaptureChangeMySQL Processor active and document their business criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Nifi

View all
CVE-2023-34468 HIGH POC
8.8 Jun 12

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authe

CVE-2017-5636 CRITICAL
9.8 Oct 19

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization

CVE-2018-1309 CRITICAL
9.8 May 23

Apache NiFi External XML Entity issue in SplitXML processor. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2023-36542 HIGH
8.8 Jul 29

Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retriev

CVE-2022-33140 HIGH
8.8 Jun 15

The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not ne

CVE-2019-12421 HIGH
8.8 Nov 19

When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiF

CVE-2021-20190 HIGH
8.1 Jan 19

A flaw was found in jackson-databind before 2.9.10.7. Rated high severity (CVSS 8.1), this vulnerability is remotely exp

CVE-2017-5635 HIGH
7.5 Oct 19

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to

CVE-2017-7667 HIGH
7.5 Jun 12

Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow frami

CVE-2026-44914 HIGH
7.5 Jun 20

Authorization bypass in Apache NiFi 1.12.0 through 2.9.0 allows authenticated users with general write access to add Res

CVE-2023-22832 HIGH
7.5 Feb 10

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references

CVE-2022-29265 HIGH
7.5 Apr 30

Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configu

Share

CVE-2026-44913 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy