This is an automated email from the ASF dual-hosted git repository. exceptionfactory pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi-site.git
commit 84f1203d003eac6344eb44754c66c85f7bc0e1b8 Author: exceptionfactory <[email protected]> AuthorDate: Sat Jun 20 11:42:26 2026 -0500 NIFI-15905 Published CVE-2026-44913 --- content/documentation/security.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/content/documentation/security.md b/content/documentation/security.md index 00ba5cd6..4530e504 100644 --- a/content/documentation/security.md +++ b/content/documentation/security.md @@ -71,6 +71,26 @@ Severity ratings represent the determination of project members based on an eval The following announcements include published vulnerabilities that apply directly to Apache NiFi components. +{{< vulnerability +id="CVE-2026-44913" +title="Improper Escaping of Table Names in CaptureChangeMySQL" +published="2026-06-20" +severity="Medium" +products="Apache NiFi" +affectedVersions="1.2.0 to 2.9.0" +fixedVersion="2.10.0" +jira="NIFI-15905" +pullRequest="11206" +reporter="Roberto Suggi Liverani from NATO Cyber Security Centre (NCSC)" >}} + +Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through +2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 +narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations +that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 +is the recommended mitigation, which incorporates more robust identifier escaping. + +{{</ vulnerability >}} + {{< vulnerability id="CVE-2026-44911" title="Incorrect Authorization for Configuration Verification Requests"
