Description
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, a high-privileged MariaDB user could've used wsrep_sst_receive_address or wsrep_sst_donor global system variables to execute shell commands as the uid of the mariadbd process on the galera joiner node. This issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.
Published: 2026-06-12
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a high‑privileged MariaDB user to execute arbitrary shell commands as the mariadbd process by using the wsrep_sst_receive_address or wsrep_sst_donor global system variables. This corresponds to a CWE‑78 process injection flaw and results in remote code execution with elevated privileges on the node.

Affected Systems

Affected versions include MariaDB Server 10.6.1 to 10.6.26, 10.11.1 to 10.11.17, 11.4.1 to 11.4.11, 11.8.1 to 11.8.7, and 12.3.1, which are deployed on Galera joiner nodes.

Risk and Exploitability

The CVSS score is 8, indicating high severity. However, the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting low evidence of active exploitation. Attacks would require a high‑privileged MariaDB user to manipulate the global variables, so the attack vector is primarily local or through software that can acquire such privileges.

Generated by OpenCVE AI on June 12, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MariaDB Server to a patched release (10.6.27, 10.11.18, 11.4.12, 11.8.8, or 12.3.2).
  • Audit deployment configurations to ensure wsrep_sst_receive_address and wsrep_sst_donor are not set to untrusted or external values, and limit their modification to trusted administrators.
  • Restrict the creation and use of high‑privileged MariaDB users that have the ability to alter these global variables, applying the principle of least privilege wherever possible.

Generated by OpenCVE AI on June 12, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mariadb
Mariadb server
Vendors & Products Mariadb
Mariadb server

Fri, 12 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, a high-privileged MariaDB user could've used wsrep_sst_receive_address or wsrep_sst_donor global system variables to execute shell commands as the uid of the mariadbd process on the galera joiner node. This issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.
Title MariaDB: unsafe usage of `wsrep_sst_receive_address` values on the joiner side
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Mariadb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T20:01:05.548Z

Reserved: 2026-05-20T23:12:43.032Z

Link: CVE-2026-48165

cve-icon Vulnrichment

Updated: 2026-06-12T20:01:00.465Z

cve-icon NVD

Status : Received

Published: 2026-06-12T18:16:35.177

Modified: 2026-06-12T18:16:35.177

Link: CVE-2026-48165

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T19:45:27Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')