Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44168

CVE-2026-44168: MariaDB Server RCE Vulnerability

CVE-2026-44168 is a remote code execution flaw in MariaDB Server affecting the mariabackup SST method. Attackers can exploit improper parameter validation to execute shell commands. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-44168 Overview

CVE-2026-44168 is a command injection vulnerability [CWE-78] in MariaDB server affecting the State Snapshot Transfer (SST) process. During SST operations using the mariabackup method, the donor node interpolates parameters sent by the joiner directly into shell command lines. Insufficient validation of these parameters allows a malicious joiner to execute arbitrary shell commands on the donor node. The flaw affects MariaDB versions 10.6.1 through 10.6.25, 10.11.1 through 10.11.16, 11.4.1 through 11.4.10, 11.8.1 through 11.8.6, and 12.3.1. MariaDB addressed the issue in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.

Critical Impact

A malicious joiner node in a Galera cluster can execute arbitrary shell commands on a donor node during SST via the mariabackup method, leading to remote code execution under the database server account.

Affected Products

  • MariaDB server 10.6.1 through versions before 10.6.26
  • MariaDB server 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, and 11.8.1 through 11.8.7
  • MariaDB server 12.3.1

Discovery Timeline

  • 2026-06-12 - CVE-2026-44168 published to NVD
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-44168

Vulnerability Analysis

The vulnerability resides in the SST workflow used by MariaDB Galera clusters. SST transfers a full data snapshot from a donor node to a joiner node when the joiner needs to synchronize state. The mariabackup SST method invokes shell commands on the donor side, and several command line arguments are populated from values supplied by the joiner.

The donor process interpolates joiner-supplied parameters into shell command strings without validating each parameter against an allowlist of safe characters. An adversary controlling a joiner can craft parameter values containing shell metacharacters such as backticks, $(), or ; to break out of the intended command context. The injected commands run with the privileges of the MariaDB service account on the donor host.

Exploitation requires the attacker to participate in the Galera cluster as a joiner, which corresponds to the high privileges required component of the vulnerability profile. Successful exploitation grants code execution on a separate trust boundary, the donor node, which is why the scope is rated as changed.

Root Cause

The root cause is improper neutralization of special elements used in an operating system command [CWE-78]. The donor SST handler passes joiner-controlled strings to a shell interpreter without consistent validation. The patched releases tighten parameter validation in the mariabackup SST path so untrusted input cannot influence shell parsing.

Attack Vector

An attacker who can authenticate to or impersonate a Galera cluster member initiates an SST request to a donor node. The joiner sends parameters containing shell metacharacters embedded in fields that the donor passes to mariabackup. When the donor executes the SST command line, the embedded payload runs on the donor host. See the GitHub Security Advisory GHSA-vwf7-w26c-9w5h and MariaDB Jira Issue MDEV-39413 for vendor technical details.

Detection Methods for CVE-2026-44168

Indicators of Compromise

  • Unexpected child processes spawned by the mariabackup or mysqld process on donor nodes, particularly shells such as /bin/sh, /bin/bash, or interpreters like python and perl.
  • SST log entries on the donor showing unusual characters such as backticks, $(), semicolons, or pipes in joiner-supplied parameters.
  • Outbound network connections initiated by the MariaDB service account immediately following an SST event.

Detection Strategies

  • Inspect MariaDB error logs and mariabackup logs for SST sessions containing shell metacharacters in parameter values.
  • Hunt for process lineage where mysqld or mariabackup is the parent of a shell or scripting interpreter on donor hosts.
  • Correlate Galera cluster membership changes with subsequent process executions on donor nodes to identify anomalous SST-triggered activity.

Monitoring Recommendations

  • Enable auditing of process creation events on all Galera donor candidates and forward them to a central analytics platform.
  • Monitor authentication events to Galera cluster ports, typically TCP 4567, 4568, and 4444, for unexpected joiner connections.
  • Alert on changes to SST configuration files such as wsrep_sst_method or credentials in /etc/mysql/.

How to Mitigate CVE-2026-44168

Immediate Actions Required

  • Upgrade affected MariaDB instances to a patched release: 10.6.26, 10.11.17, 11.4.11, 11.8.7, or 12.3.2.
  • Restrict network access to Galera cluster ports so only known cluster members can connect to donor nodes.
  • Rotate SST authentication credentials configured in wsrep_sst_auth after patching.

Patch Information

MariaDB published fixes in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2. Refer to the GitHub Security Advisory GHSA-vwf7-w26c-9w5h and MariaDB Jira Issue MDEV-39413 for the full list of fixed builds and release notes.

Workarounds

  • Use an alternate SST method that does not invoke mariabackup until the patch is deployed, where operationally feasible.
  • Place donor nodes behind a firewall or private network segment that blocks untrusted joiners from initiating SST.
  • Enforce strict TLS authentication between cluster members so only known peers can request SST.
bash
# Verify installed MariaDB version and apply a patched release
mysql -V

# Debian/Ubuntu
sudo apt update && sudo apt install --only-upgrade mariadb-server

# RHEL/Rocky/Alma
sudo dnf upgrade MariaDB-server

# Restrict Galera ports to trusted cluster members (example for iptables)
sudo iptables -A INPUT -p tcp -m multiport --dports 4444,4567,4568 \
  -s 10.0.0.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp -m multiport --dports 4444,4567,4568 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne