Description
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the donor side via the mariabackup SST method. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
Published: 2026-06-12
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

During a standard state transfer, the donor node interpolates parameters received from the joiner into the command line used by the mariabackup SST method. Because several parameters were not properly validated, a malicious joiner can supply crafted values that cause the donor to execute arbitrary shell commands. The flaw is a classic command injection (CWE‑78) and gives the attacker full code execution on the donor server, potentially compromising the entire cluster and any data the server holds.

Affected Systems

MariaDB Server products in the 10.6, 10.11, 11.4, 11.8, and 12.3 branches are affected. Specifically, versions 10.6.1 through 10.6.25, 10.11.1 through 10.11.16, 11.4.1 through 11.4.10, 11.8.1 through 11.8.6, and 12.3.1 are vulnerable. These issues were fixed in 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.

Risk and Exploitability

The vulnerability carries a CVSS score of 8, indicating high severity. The EPSS score is less than 1%, suggesting that exploitation attempts are currently rare, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would need the ability to act as a cluster joiner, which typically requires internal network access or a compromised client. If exploited, the attacker achieves full code execution on the donor, enabling data exfiltration, privilege escalation, or further lateral movement across the cluster.

Generated by OpenCVE AI on June 12, 2026 at 19:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest MariaDB release that includes the fix (10.6.26, 10.11.17, 11.4.11, 11.8.7, or 12.3.2).
  • Reconfigure the SST method to disable unsafe parameter interpolation; alternatively, use a verified safe backup tool instead of mariabackup.
  • Limit who can join the cluster by enforcing strict firewall rules and using client authentication so that only trusted nodes can initiate SST.

Generated by OpenCVE AI on June 12, 2026 at 19:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mariadb
Mariadb server
Vendors & Products Mariadb
Mariadb server

Fri, 12 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the donor side via the mariabackup SST method. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
Title MariaDB: wsrep SST unsafe parameter handling on the donor side
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Mariadb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T20:09:07.186Z

Reserved: 2026-05-05T14:39:34.923Z

Link: CVE-2026-44168

cve-icon Vulnrichment

Updated: 2026-06-12T20:09:04.398Z

cve-icon NVD

Status : Received

Published: 2026-06-12T18:16:33.577

Modified: 2026-06-12T18:16:33.577

Link: CVE-2026-44168

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T19:45:27Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')