cbcvebase.
CVE-2026-49261
published 2026-06-11

CVE-2026-49261: MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through…

PriorityP258critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.70%
48.6th percentile
MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commands embedded in the name of the joiner node. This is fixed in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. As a workaround, anyone who cannot upgrade now should disable `wsrep_notify_cmd`.

Affected

13 ranges
VendorProductVersion rangeFixed in
mariadbmariadb
mariadbmariadb
mariadbmariadb>= 10.11.1 < 10.11.1810.11.18
mariadbmariadb>= 10.6.1 < 10.6.2710.6.27
mariadbmariadb>= 11.4.1 < 11.4.1211.4.12
mariadbmariadb>= 11.8.1 < 11.8.811.8.8
mariadbserver
mariadbserver
mariadbserver
mariadbserver
mariadbserver
mariadb_10.11mariadb
mariadb_11.8mariadb

Detection & IOCsextracted from sources · hover to see the quote

port4567
port4568
port4444
  • Detect shell metacharacters or command injection patterns in Galera joiner node names presented during cluster membership negotiation — the exploit vector is embedding shell commands in the joiner node name when wsrep_notify_cmd is enabled.
  • Monitor for unexpected child processes spawned by the MariaDB/mysqld process, which may indicate successful command injection via a malicious joiner node name passed to the wsrep_notify_cmd script.
  • Alert on inbound connections to Galera replication ports (4567/tcp, 4568/tcp, 4444/tcp) from hosts not in the known trusted cluster node list — exploitation requires the attacker to stand up a MariaDB/Galera node accepted into the cluster.
  • ·Red Hat's shipped Galera configuration additionally defaults to wsrep_on=0, providing an additional layer of protection in default Red Hat deployments.
  • ·Exploitation also requires the attacker's rogue node to be accepted into the cluster membership view, meaning network-level isolation of Galera ports is an effective compensating control.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.