CVE-2026-44170
published 2026-06-12CVE-2026-44170: MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.55%
42.0th percentile
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP attribute into the curl command line without proper sanitizing. This allows the user to execute shell commands on the server. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | >= 10.11.1 < 10.11.17 | 10.11.17 |
| mariadb | mariadb | >= 10.6.1 < 10.6.26 | 10.6.26 |
| mariadb | mariadb | >= 11.4.1 < 11.4.11 | 11.4.11 |
| mariadb | mariadb | >= 11.8.1 < 11.8.7 | 11.8.7 |
| mariadb | server | — | — |
| mariadb | server | — | — |
| mariadb | server | — | — |
| mariadb | server | — | — |
| mariadb | server | — | — |
| mariadb_10.11 | mariadb | — | — |
| mariadb_11.8 | mariadb | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for MariaDB CONNECT engine table creation/alteration with an HTTP attribute containing shell metacharacters (e.g., semicolons, pipes, backticks, ampersands) being passed to the curl command line on Windows systems. ↗
- →Alert on MariaDB server processes spawning unexpected child processes (e.g., cmd.exe, powershell.exe, or other shells) on Windows, which may indicate successful shell command injection via the CONNECT engine REST/curl code path. ↗
- →Flag MariaDB installations on Windows where both the CONNECT engine is installed AND REST support is enabled, as these are the required preconditions for exploitation. ↗
- ·Vulnerability is Windows-only; Linux/macOS MariaDB deployments are NOT affected regardless of CONNECT engine or REST support status. ↗
- ·Both conditions must be true for exploitability: (1) CONNECT engine must be installed, AND (2) REST support must be enabled. Deployments missing either condition are not vulnerable. ↗
- ·Affected version ranges: 10.6.1–10.6.25, 10.11.1–10.11.16, 11.4.1–11.4.10, 11.8.1–11.8.6, and 12.3.1. Patched in 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2. ↗
- ·Red Hat Enterprise Linux packages (mariadb on RHEL 7/8/9/10, mariadb10.11, mariadb11.8, and Hardened Images variants) are all listed as 'Under investigation' — patch status for RHEL is not yet confirmed. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
MariaDB Server up to 12.3.1 on WIndows Command Line os command injection (GHSA-f835-cfjq-wf73)
vuldb·2026-06-12·CVSS 6.3
CVE-2026-44170 [MEDIUM] MariaDB Server up to 12.3.1 on WIndows Command Line os command injection (GHSA-f835-cfjq-wf73)
A vulnerability was found in MariaDB Server up to 10.6.25/10.11.16/11.4.10/11.8.6/12.3.1 on WIndows and classified as critical. The impacted element is an unknown function of the component Command Line Handler. Executing a manipulation can lead to os command injection.
This vulnerability is handled as CVE-2026-44170. The attack can be executed remotely. There is not any exploit available.
It is suggested to upgrade the affected component.
Red Hat
mariadb: MariaDB server: Arbitrary shell command execution via improper sanitization in CONNECT engine
vendor_redhat·2026-06-12·CVSS 9.8
CVE-2026-44170 [CRITICAL] CWE-78 mariadb: MariaDB server: Arbitrary shell command execution via improper sanitization in CONNECT engine
mariadb: MariaDB server: Arbitrary shell command execution via improper sanitization in CONNECT engine
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP attribute into the curl command line without proper sanitizing. This allows the user to execute shell commands on the server. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
A flaw was found in MariaDB server. When the CONNECT engine is installed and REST support is enabled on Windows, a user can exploit improper sanitization of the table HTTP attribute. This at
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-44170 mariadb10.11: Arbitrary shell command execution via improper sanitization in CONNECT engine [fedora-all]
bugzilla·2026-06-30·CVSS 9.8
CVE-2026-44170 [CRITICAL] CVE-2026-44170 mariadb10.11: Arbitrary shell command execution via improper sanitization in CONNECT engine [fedora-all]
CVE-2026-44170 mariadb10.11: Arbitrary shell command execution via improper sanitization in CONNECT engine [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP attribute into the curl command line without proper sanitizing. This allows the user to execute shell commands on the server. This issue has been patched in versio
Bugzilla
CVE-2026-44170 mariadb11.8: Arbitrary shell command execution via improper sanitization in CONNECT engine [fedora-all]
bugzilla·2026-06-30·CVSS 9.8
CVE-2026-44170 [CRITICAL] CVE-2026-44170 mariadb11.8: Arbitrary shell command execution via improper sanitization in CONNECT engine [fedora-all]
CVE-2026-44170 mariadb11.8: Arbitrary shell command execution via improper sanitization in CONNECT engine [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP attribute into the curl command line without proper sanitizing. This allows the user to execute shell commands on the server. This issue has been patched in version
Bugzilla
CVE-2026-44170 mariadb: MariaDB server: Arbitrary shell command execution via improper sanitization in CONNECT engine
bugzilla·2026-06-12·CVSS 9.8
CVE-2026-44170 [CRITICAL] CVE-2026-44170 mariadb: MariaDB server: Arbitrary shell command execution via improper sanitization in CONNECT engine
CVE-2026-44170 mariadb: MariaDB server: Arbitrary shell command execution via improper sanitization in CONNECT engine
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP attribute into the curl command line without proper sanitizing. This allows the user to execute shell commands on the server. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
https://github.com/MariaDB/server/security/advisories/GHSA-f835-cfjq-wf73https://jira.mariadb.org/browse/MDEV-39289https://access.redhat.com/errata/RHSA-2026:25143https://access.redhat.com/errata/RHSA-2026:25145https://access.redhat.com/security/cve/CVE-2026-44170https://bugzilla.redhat.com/show_bug.cgi?id=2488451https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44170.json
2026-06-12
Published