Description
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB allowed SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE without verifying the FILE privilege if the FROM clause contained only subqueries. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
Published: 2026-06-12
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MariaDB allows the SELECT … INTO OUTFILE or SELECT … INTO DUMPFILE statements to write a file when the FROM clause contains only subqueries, without verifying that the caller has the FILE privilege. The likely attack vector is an attacker who already has SELECT rights issuing such a statement with a crafted filename. Based on the description, it is inferred that the attacker can create or overwrite files in directories writable by the database server process, potentially leading to persistence or privilege escalation. This flaw violates privilege checks (CWE-266) and access control (CWE-863).

Affected Systems

MariaDB server versions 10.6.1 through 10.6.25, 10.11.1 through 10.11.16, 11.4.1 through 11.4.10, 11.8.1 through 11.8.6, and 12.3.1 are affected. The issue was fixed in 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2. The affected product is MariaDB server, a community-developed fork of MySQL.

Risk and Exploitability

The CVSS score of 5 indicates moderate severity. The EPSS score of less than 1% means that the probability of exploitation is very low, and there are no known public exploit examples. The vulnerability is not listed in CISA KEV. An attacker would need SELECT privileges; there is no remote code execution vector. However, the ability to write arbitrary files could be leveraged for persistence or privilege escalation if writable directories are present. Based on the description, it is inferred that the attacker would need the database process to have write access to the target directory, which is an environmental prerequisite that may reduce the exploitability.

Generated by OpenCVE AI on June 23, 2026 at 14:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MariaDB to a patched version (10.6.26+, 10.11.17+, 11.4.11+, 11.8.7+, or 12.3.2+).
  • If an immediate upgrade is not possible, restrict unprivileged users from executing SELECT … INTO OUTFILE or SELECT … INTO DUMPFILE, or consider disabling these statements via configuration or application logic.
  • Apply appropriate file system permissions or role-based access controls to prevent unwarranted write access to critical directories, and monitor database logs for suspicious file creation activity.

Generated by OpenCVE AI on June 23, 2026 at 14:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-266
References
Metrics threat_severity

None

threat_severity

Important


Tue, 16 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Mariadb mariadb
CPEs cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*
cpe:2.3:a:mariadb:mariadb:12.3.1:*:*:*:*:*:*:*
Vendors & Products Mariadb mariadb

Fri, 12 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Mariadb
Mariadb server
Vendors & Products Mariadb
Mariadb server

Fri, 12 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB allowed SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE without verifying the FILE privilege if the FROM clause contained only subqueries. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
Title MariaDB: FILE privilege was not checked for subqueries in the FROM clause
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-02T12:04:59.604Z

Reserved: 2026-05-05T14:39:34.923Z

Link: CVE-2026-44173

cve-icon Vulnrichment

Updated: 2026-07-02T12:04:59.604Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-12T18:16:34.257

Modified: 2026-06-16T19:04:35.470

Link: CVE-2026-44173

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-12T17:34:30Z

Links: CVE-2026-44173 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T14:15:04Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment

  • CWE-863

    Incorrect Authorization