Description
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP attribute into the curl command line without proper sanitizing. This allows the user to execute shell commands on the server. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
Published: 2026-06-12
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in MariaDB Server arises when the CONNECT engine’s CONNECT REST module interpolates the table HTTP attribute directly into a curl command executed on Windows. Because the URL value is not sanitized, an attacker can inject arbitrary shell commands into that curl invocation, resulting in remote code execution. This flaw is classified as CWE-78, and it allows an adversary to run any code with the privileges of the MariaDB process, potentially leading to full system compromise, data exfiltration, or pivot to other services.

Affected Systems

MariaDB Server on Windows that has the CONNECT engine and REST support enabled is affected. The vulnerability applies to releases 10.6.1 through 10.6.25, 10.11.1 through 10.11.16, 11.4.1 through 11.4.10, 11.8.1 through 11.8.6, and the single release 12.3.1. All other MariaDB versions and non‑Windows platforms are not listed as vulnerable.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, while the EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, suggesting a low probability of exploitation in the wild. The likely attack vector is a crafted REST request that delivers a malicious URL containing shell commands; this inference is drawn from the description that the vulnerable value is interpolated into a curl command line. Exploitation would require the REST service to be reachable or an attacker to possess authentication credentials for the MariaDB server. Successful exploitation grants remote command execution with MariaDB process privileges, which can elevate to full control over the Windows host.

Generated by OpenCVE AI on June 12, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MariaDB Server to a patched version: ≥10.6.26, ≥10.11.17, ≥11.4.11, ≥11.8.7, or ≥12.3.2.
  • If an immediate upgrade is not possible, disable the CONNECT engine or REST support so that the curl command is no longer invoked.
  • Remove or disable the Xcurl connector from the CONNECT engine configuration to prevent the vulnerable interpolation from occurring.

Generated by OpenCVE AI on June 12, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Mariadb
Mariadb server
Vendors & Products Mariadb
Mariadb server

Fri, 12 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP attribute into the curl command line without proper sanitizing. This allows the user to execute shell commands on the server. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
Title MariaDB: Argument injection in CONNECT REST Xcurl on Windows via unsanitized URL
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Mariadb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T18:31:23.373Z

Reserved: 2026-05-05T14:39:34.923Z

Link: CVE-2026-44170

cve-icon Vulnrichment

Updated: 2026-06-12T18:31:17.570Z

cve-icon NVD

Status : Received

Published: 2026-06-12T18:16:33.853

Modified: 2026-06-12T18:16:33.853

Link: CVE-2026-44170

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:00:18Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')