cbcvebase.
CVE-2026-44170
published 2026-06-12

CVE-2026-44170: MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.55%
42.0th percentile
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP attribute into the curl command line without proper sanitizing. This allows the user to execute shell commands on the server. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.

Affected

13 ranges
VendorProductVersion rangeFixed in
mariadbmariadb
mariadbmariadb
mariadbmariadb>= 10.11.1 < 10.11.1710.11.17
mariadbmariadb>= 10.6.1 < 10.6.2610.6.26
mariadbmariadb>= 11.4.1 < 11.4.1111.4.11
mariadbmariadb>= 11.8.1 < 11.8.711.8.7
mariadbserver
mariadbserver
mariadbserver
mariadbserver
mariadbserver
mariadb_10.11mariadb
mariadb_11.8mariadb

Detection & IOCsextracted from sources · hover to see the quote

  • Detect exploitation attempts by monitoring for MariaDB CONNECT engine table creation/alteration with an HTTP attribute containing shell metacharacters (e.g., semicolons, pipes, backticks, ampersands) being passed to the curl command line on Windows systems.
  • Alert on MariaDB server processes spawning unexpected child processes (e.g., cmd.exe, powershell.exe, or other shells) on Windows, which may indicate successful shell command injection via the CONNECT engine REST/curl code path.
  • Flag MariaDB installations on Windows where both the CONNECT engine is installed AND REST support is enabled, as these are the required preconditions for exploitation.
  • ·Vulnerability is Windows-only; Linux/macOS MariaDB deployments are NOT affected regardless of CONNECT engine or REST support status.
  • ·Both conditions must be true for exploitability: (1) CONNECT engine must be installed, AND (2) REST support must be enabled. Deployments missing either condition are not vulnerable.
  • ·Affected version ranges: 10.6.1–10.6.25, 10.11.1–10.11.16, 11.4.1–11.4.10, 11.8.1–11.8.6, and 12.3.1. Patched in 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
  • ·Red Hat Enterprise Linux packages (mariadb on RHEL 7/8/9/10, mariadb10.11, mariadb11.8, and Hardened Images variants) are all listed as 'Under investigation' — patch status for RHEL is not yet confirmed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.