Do Son 
- Product: MariaDB server
- Vulnerabilities: 3 flaws (CVE-2026-48163, CVE-2026-48165, CVE-2026-49261)
- Highest severity: 10.0 (Critical · CVSSv3)
- Worst impact: has unsafe parameter handling in `wsrep_notify_cmd`
- Status: No confirmed exploitation yet
- Action: Update MariaDB server to 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2 now
| CVE | CVSS (CVSSv3) | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-49261 | 10 | CWE-78 | — | Not exploited |
| CVE-2026-48163 | 8 | CWE-78 | — | Not exploited |
| CVE-2026-48165 | 8 | CWE-78 | — | Not exploited |
TL;DR
Three serious MariaDB server vulnerabilities threaten database environments. The most severe flaw carries a maximum CVSS 10 rating. These bugs allow attackers to run arbitrary shell commands on vulnerable nodes.
Why It Matters
MariaDB serves as a foundational open-source SQL server. Countless organizations rely on it for critical data storage. A CVSS 10 vulnerability signifies a catastrophic risk to these interconnected systems. Attackers can hijack the underlying server infrastructure completely. A compromised database often leads to total data breaches. Therefore, these MariaDB server vulnerabilities require immediate administrative action.
How the Attack Works
The flaws threaten Galera cluster security during synchronization scripts. State Transfer (SST) operations handle the data synchronization process. Specifically, CVE-2026-48163 occurs on the donor node during an rsync transfer. The node interpolates joiner parameters into the command line without proper validation. This allows a malicious joiner to run arbitrary shell commands. Next, CVE-2026-48165 affects the joiner side directly. A privileged user can manipulate specific global variables to execute commands as the database process. Finally, CVE-2026-49261 involves the wsrep_notify_cmd setting. A vulnerable server runs commands hidden inside a malicious joiner node name. Currently, no active exploitation in the wild is confirmed. You can find more details at the MariaDB security repository.
Affected Versions
These vulnerabilities affect multiple active release tracks. The impacted branches include versions prior to 10.6.27 and 10.11.18. Furthermore, the bugs exist in versions before 11.4.12, 11.8.8, and 12.3.2.
Patch or Mitigation Steps
System administrators must install the patched releases immediately. Updating to versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, or 12.3.2 fixes all three bugs. However, some teams might face delays in patching. If you cannot upgrade, you should disable the wsrep_notify_cmd feature. Additionally, removing the wsrep_sst_rsync script prevents the donor-side exploit entirely. These workarounds stop the immediate shell execution threat.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
