Description
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, mbstream did not check for /../ in the path when unpacking the archive. A proper backup can never contain such paths, but a specially crafted archive could have caused mbstream to create files outside of the target-dir path. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
Published: 2026-06-12
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MariaDB server 10.6.1 through 12.3.1 contains a path‑traversal flaw in the mbstream archive extraction routine. The code fails to sanitize "/../" components, meaning a crafted backup archive could create files outside the intended restore directory. An attacker who can supply a malicious archive could thus overwrite critical files or place executable payloads, compromising confidentiality, integrity, or availability of the system.

Affected Systems

The vulnerability affects MariaDB server versions 10.6.1‑10.6.25, 10.11.1‑10.11.16, 11.4.1‑11.4.10, 11.8.1‑11.8.6, and 12.3.1. Fixed releases are 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2 respectively.

Risk and Exploitability

The CVSS score of 6.3 indicates medium severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation would require the ability to supply a specially crafted backup archive, a step that is typically limited to environments where backups originate from the attacker or are not validated. Once the archive is processed by mbstream, the attacker can write arbitrary files to locations outside the restore target directory. This could lead to privilege escalation or persistence if critical system files are overwritten.

Generated by OpenCVE AI on June 12, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MariaDB install to one of the patched releases (10.6.26, 10.11.17, 11.4.11, 11.8.7, or 12.3.2 or later).
  • If an immediate upgrade is not feasible, do not restore backups that were created by external parties; manually inspect the archive contents and strip any ".." path components before extraction.
  • Configure MariaDB to restrict the restoration directory, for example by setting mbstream.temp.dir to a dedicated secure path and enforcing write‑only permissions on that directory.

Generated by OpenCVE AI on June 12, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Mariadb
Mariadb server
Vendors & Products Mariadb
Mariadb server

Fri, 12 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, mbstream did not check for /../ in the path when unpacking the archive. A proper backup can never contain such paths, but a specially crafted archive could have caused mbstream to create files outside of the target-dir path. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
Title MariaDB: path traversal in mbstream
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Mariadb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T18:06:49.446Z

Reserved: 2026-05-05T14:39:34.923Z

Link: CVE-2026-44171

cve-icon Vulnrichment

Updated: 2026-06-12T18:06:45.517Z

cve-icon NVD

Status : Received

Published: 2026-06-12T18:16:33.983

Modified: 2026-06-12T18:16:33.983

Link: CVE-2026-44171

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T19:30:31Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')