CVE-2026-44170: MariaDB CONNECT Engine RCE Vulnerability

CVE-2026-44170 Overview

CVE-2026-44170 is a command injection vulnerability [CWE-78] in MariaDB server on Windows when the CONNECT storage engine is installed with REST support enabled. The flaw stems from MariaDB interpolating the table HTTP attribute directly into a curl command line without proper sanitization. An authenticated database user can craft a malicious table definition to execute arbitrary shell commands on the host. The issue affects MariaDB branches 10.6.x, 10.11.x, 11.4.x, 11.8.x, and 12.3.x prior to the fixed releases. Fixes ship in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.

Critical Impact
Authenticated attackers can execute arbitrary OS commands on Windows MariaDB servers running the CONNECT engine with REST support.

Affected Products

MariaDB 10.6.1 through versions before 10.6.26 (Windows)
MariaDB 10.11.1 through versions before 10.11.17, and 11.4.1 through versions before 11.4.11 (Windows)
MariaDB 11.8.1 through versions before 11.8.7, and 12.3.1 (Windows, CONNECT engine with REST enabled)

Discovery Timeline

2026-06-12 - CVE-2026-44170 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-44170

Vulnerability Analysis

The MariaDB CONNECT storage engine allows external data sources to be exposed as SQL tables. When REST support is compiled in, a table definition can specify an HTTP attribute pointing to a remote endpoint. On Windows builds, MariaDB constructs a curl invocation by concatenating this attribute into a shell command string. Because the value is not escaped or validated, characters such as &, |, &&, and backticks break out of the URL argument and introduce additional commands. The resulting process runs with the privileges of the MariaDB service account, which on Windows is frequently a high-privilege local account.

Exploitation requires the ability to issue CREATE TABLE statements that reference the CONNECT engine. In multi-tenant or hosted database deployments, any user holding CREATE privileges on a schema can trigger the injection.

Root Cause

The root cause is unsafe string interpolation of user-controlled table metadata into an OS command line. MariaDB invokes curl through a shell rather than executing it with argument arrays, so injected metacharacters are interpreted by the command processor. This is a textbook OS command injection pattern classified under [CWE-78].

Attack Vector

An authenticated attacker creates a CONNECT-engine table whose HTTP attribute contains shell metacharacters followed by an attacker-supplied payload. When MariaDB issues the outbound REST request, the injected commands execute on the Windows host. The attacker can stage tooling, exfiltrate database contents, or pivot to other systems on the network. No user interaction is required beyond the initial table creation. Refer to the GitHub Security Advisory and MariaDB JIRA Issue MDEV-39289 for technical details.

Detection Methods for CVE-2026-44170

Indicators of Compromise

Unexpected cmd.exe, powershell.exe, or other process creations whose parent is mysqld.exe or mariadbd.exe on Windows hosts.
CREATE TABLE or ALTER TABLE statements referencing ENGINE=CONNECT with TABLE_TYPE=JSON or XML and an HTTP= attribute containing shell metacharacters such as &, |, or backticks.
Outbound network connections from the MariaDB service to unexpected hosts immediately followed by suspicious child process activity.

Detection Strategies

Audit MariaDB query logs and information_schema.tables for CONNECT-engine tables that use REST table types, then review their OPTION_LIST values for injection characters.
Monitor Windows Sysmon Event ID 1 for child processes of the MariaDB service binary, which should never spawn interactive shells under normal operation.
Correlate EDR telemetry for curl.exe invocations spawned by mariadbd.exe with command lines containing chained operators.

Monitoring Recommendations

Enable MariaDB general query logging or audit plugin output for CREATE TABLE statements and forward to a SIEM for review.
Alert on any new process tree rooted at the database service on Windows, treating it as anomalous by default.
Track outbound HTTP requests originating from database servers and baseline expected destinations.

How to Mitigate CVE-2026-44170

Immediate Actions Required

Upgrade affected Windows installations to MariaDB 10.6.26, 10.11.17, 11.4.11, 11.8.7, or 12.3.2 as appropriate for your branch.
If patching is not immediately possible, disable or uninstall the CONNECT storage engine on Windows hosts where it is not required.
Revoke CREATE and ALTER privileges from accounts that do not need to define new tables, and audit existing CONNECT tables for malicious definitions.

Patch Information

MariaDB has released fixed builds that properly sanitize the HTTP attribute before constructing the curl command. See the GitHub Security Advisory GHSA-f835-cfjq-wf73 for upgrade artifacts and the MariaDB JIRA Issue MDEV-39289 for the underlying defect tracking.

Workarounds

Run the MariaDB Windows service under a low-privilege dedicated account to limit the impact of successful command execution.
Block outbound HTTP/HTTPS traffic from database servers at the network layer so the vulnerable curl code path cannot be reached.
Use SET GLOBAL disabled_storage_engines='CONNECT' to prevent use of the affected engine until the host is patched.

bash

# Disable the CONNECT engine until the host is patched
mysql -u root -p -e "SET GLOBAL disabled_storage_engines='CONNECT';"

# Verify installed version after upgrade
mysql -u root -p -e "SELECT VERSION();"