Description
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the donor side via the rsync SST method. This issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.
Published: 2026-06-12
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

During a state snapshot transfer the donor MariaDB server interpolates parameters supplied by a joining node into shell commands without proper validation. The flaw allows an attacker to inject arbitrary shell commands that will execute on the donor machine. The weakness corresponds to CWE‑78, which concerns exploitation through command injection.

Affected Systems

The vulnerability affects MariaDB Server community editions from "10.6.1 to before 10.6.27", "10.11.1 to before 10.11.18", "11.4.1 to before 11.4.12", "11.8.1 to before 11.8.8", and the standalone release 12.3.1. Updated releases—10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2—contain the fix.

Risk and Exploitability

The CVSS score of 8 indicates critical severity, while the EPSS score of less than 1% suggests that, so far, exploitation has been rare or unheard of. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need to control or compromise a node that initiates a replication join and supply specially crafted parameters during the rsync state snapshot transfer. Successful exploitation would enable remote code execution on the donor node, allowing the attacker to gain full administrative access to the database server.

Generated by OpenCVE AI on June 12, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MariaDB Server to the latest releases that contain the SST parameter validation patch (10.6.27, 10.11.18, 11.4.12, 11.8.8, or 12.3.2 and later).
  • If an upgrade cannot be performed immediately, disable the rsync SST method or switch replication to a different state snapshot protocol that does not expose donor‑side parameter interpolation.
  • Configure the database environment so that only trusted nodes are permitted to initiate replication joins and apply networking controls to restrict which IPs can communicate with the donor node.

Generated by OpenCVE AI on June 12, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Mariadb
Mariadb server
Vendors & Products Mariadb
Mariadb server

Fri, 12 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the donor side via the rsync SST method. This issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.
Title MariaDB: wsrep SST unsafe parameter handling on the donor side (rsync)
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Mariadb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T18:05:44.656Z

Reserved: 2026-05-20T23:12:43.032Z

Link: CVE-2026-48163

cve-icon Vulnrichment

Updated: 2026-06-12T18:02:55.863Z

cve-icon NVD

Status : Received

Published: 2026-06-12T18:16:35.037

Modified: 2026-06-12T18:16:35.037

Link: CVE-2026-48163

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:00:18Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')