CVE-2026-49261
published 2026-06-11CVE-2026-49261: MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through…
PriorityP258critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.70%
48.6th percentile
MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commands embedded in the name of the joiner node. This is fixed in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. As a workaround, anyone who cannot upgrade now should disable `wsrep_notify_cmd`.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | >= 10.11.1 < 10.11.18 | 10.11.18 |
| mariadb | mariadb | >= 10.6.1 < 10.6.27 | 10.6.27 |
| mariadb | mariadb | >= 11.4.1 < 11.4.12 | 11.4.12 |
| mariadb | mariadb | >= 11.8.1 < 11.8.8 | 11.8.8 |
| mariadb | server | — | — |
| mariadb | server | — | — |
| mariadb | server | — | — |
| mariadb | server | — | — |
| mariadb | server | — | — |
| mariadb_10.11 | mariadb | — | — |
| mariadb_11.8 | mariadb | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect shell metacharacters or command injection patterns in Galera joiner node names presented during cluster membership negotiation — the exploit vector is embedding shell commands in the joiner node name when wsrep_notify_cmd is enabled. ↗
- →Monitor for unexpected child processes spawned by the MariaDB/mysqld process, which may indicate successful command injection via a malicious joiner node name passed to the wsrep_notify_cmd script. ↗
- →Alert on inbound connections to Galera replication ports (4567/tcp, 4568/tcp, 4444/tcp) from hosts not in the known trusted cluster node list — exploitation requires the attacker to stand up a MariaDB/Galera node accepted into the cluster. ↗
- ·Red Hat's shipped Galera configuration additionally defaults to wsrep_on=0, providing an additional layer of protection in default Red Hat deployments. ↗
- ·Exploitation also requires the attacker's rogue node to be accepted into the cluster membership view, meaning network-level isolation of Galera ports is an effective compensating control. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
mariadb: MariaDB Server: Arbitrary code execution via wsrep_notify_cmd
vendor_redhat·2026-06-11·CVSS 10.0
CVE-2026-49261 [CRITICAL] CWE-78 mariadb: MariaDB Server: Arbitrary code execution via wsrep_notify_cmd
mariadb: MariaDB Server: Arbitrary code execution via wsrep_notify_cmd
MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commands embedded in the name of the joiner node. This is fixed in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. As a workaround, anyone who cannot upgrade now should disable `wsrep_notify_cmd`.
A flaw was found in MariaDB server. When the `wsrep_notify_cmd` feature is enabled, a remote attacker could exploit this vulnerability by embedding shell commands in the name of a joiner node. This could lead to arbitrary code execution on the server, allowing the attacker to take full control of t
VulDB
MariaDB Server up to 12.3.1 os command injection (GHSA-3p3m-4x7c-p4pw)
vuldb·2026-06-11·CVSS 10.0
CVE-2026-49261 [CRITICAL] MariaDB Server up to 12.3.1 os command injection (GHSA-3p3m-4x7c-p4pw)
A vulnerability was found in MariaDB Server up to 10.6.26/10.11.17/11.4.11/11.8.7/12.3.1. It has been rated as critical. Affected by this vulnerability is an unknown functionality. This manipulation causes os command injection.
This vulnerability is tracked as CVE-2026-49261. The attack is possible to be carried out remotely. No exploit exists.
Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
https://github.com/MariaDB/server/security/advisories/GHSA-3p3m-4x7c-p4pwhttps://jira.mariadb.org/browse/MDEV-39721https://access.redhat.com/errata/RHSA-2026:25143https://access.redhat.com/errata/RHSA-2026:25145https://access.redhat.com/errata/RHSA-2026:33093https://access.redhat.com/errata/RHSA-2026:33412https://access.redhat.com/errata/RHSA-2026:33464https://access.redhat.com/security/cve/CVE-2026-49261https://bugzilla.redhat.com/show_bug.cgi?id=2487957https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49261.json
2026-06-11
Published