The vulnerability is an unsafe parameter handling flaw in the MariaDB server that allows the execution of arbitrary shell commands embedded in the name of a joiner node when the wsrep_notify_cmd feature is enabled. This flaw enables a remote adversary to run shell commands with the permissions of the MariaDB process, potentially giving full system compromise. The weakness corresponds to CWE-78 and results in a CVSS score of 10, indicating the highest severity.

MariaDB server versions 10.6.1 to 10.6.26, 10.11.1 to 10.11.17, 11.4.1 to 11.4.11, 11.8.1 to 11.8.7, and 12.3.1 are affected when wsrep_notify_cmd is enabled. Fixed versions are 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. The vulnerability applies to the MariaDB community edition fork of MySQL.

The CVSS score of 10 places this flaw in the critical severity class, and the EPSS score is not available, making precise exploitation likelihood difficult to quantify. The flaw is not listed in CISA's KEV catalog, but its high impact and potential for remote code execution make it a top priority for mitigation. A likely attack vector would involve an adversary either controlling or influencing the node that joins the cluster, causing the attacker‑sourced joiner node name to be processed by wsrep_notify_cmd and thus executed. Since the flaw manifests during node‑joining operations, it requires the ability to affect the cluster configuration or node spawn process to succeed. The absence of publicly known exploits at the time of reporting does not reduce the risk, given the critical nature of the vulnerability and the ease of exploitation when the conditions are met.