CVE-2026-48163 Overview
CVE-2026-48163 is a command injection vulnerability in MariaDB server affecting the State Snapshot Transfer (SST) process used in Galera cluster replication. The donor node interpolates parameters supplied by the joiner directly into a shell command line without sufficient validation. A malicious joiner node can leverage the rsync SST method to execute arbitrary shell commands on the donor system. The flaw is tracked as CWE-78 (OS Command Injection) and impacts MariaDB versions 10.6.1 through 12.3.1. Patches are available in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.
Critical Impact
A malicious joiner participating in an SST handshake can execute arbitrary shell commands on the donor node, leading to full compromise of clustered MariaDB database servers.
Affected Products
- MariaDB server 10.6.1 to before 10.6.27
- MariaDB server 10.11.1 to before 10.11.18, and 11.4.1 to before 11.4.12
- MariaDB server 11.8.1 to before 11.8.8, and 12.3.1
Discovery Timeline
- 2026-06-12 - CVE-2026-48163 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-48163
Vulnerability Analysis
MariaDB Galera clusters use State Snapshot Transfer (SST) to synchronize a joining node with the current cluster state. The rsync SST method invokes external shell utilities on the donor node to package and ship data to the joiner. During the SST handshake, the joiner transmits a set of parameters that the donor incorporates into the executed command line.
The donor implementation fails to validate or escape all of these joiner-supplied parameters before passing them to the shell. An attacker controlling a node that can initiate or impersonate a joiner SST request can craft parameter values containing shell metacharacters. The donor then executes the injected commands under the privileges of the MariaDB service account, typically mysql, gaining code execution on a production database host.
Root Cause
The root cause is improper neutralization of special elements in OS commands [CWE-78]. The SST orchestration logic on the donor builds command strings via string interpolation of joiner-controlled values rather than using argument arrays or strict allowlists. Because the rsync SST method spawns helper processes through a shell, any unescaped metacharacter, such as ;, |, $(), or backticks, breaks out of the intended argument context.
Attack Vector
Exploitation requires the attacker to participate in the Galera replication protocol as a joiner. This typically means the attacker has high-privilege access to the cluster network and cluster credentials, reflected in the PR:H component of the CVSS vector. Once positioned, the attacker initiates an SST using the rsync method and embeds shell payloads into the parameters interpolated by the donor. The donor executes the payload, granting the attacker arbitrary command execution on the donor host.
No verified public proof-of-concept code is available. See the MariaDB GitHub Security Advisory GHSA-rpgv-q6gv-684r and MariaDB Jira issue MDEV-39648 for vendor-supplied technical details.
Detection Methods for CVE-2026-48163
Indicators of Compromise
- Unexpected child processes of mysqld or wsrep_sst_rsync such as /bin/sh, bash, curl, wget, or nc on donor nodes.
- SST events in the MariaDB error log referencing unusual joiner identifiers, IP addresses outside the documented cluster, or malformed parameter strings.
- New cron entries, SSH keys, or world-writable files appearing under the mysql user's home directory following an SST.
Detection Strategies
- Monitor process lineage on donor hosts for shell or networking utilities spawned by wsrep_sst_* scripts, which should never occur during a clean SST.
- Alert on inbound Galera SST connections from hosts not present in the cluster allowlist or from unexpected source ports.
- Compare MariaDB versions across the fleet against the fixed releases 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2 to identify exposed nodes.
Monitoring Recommendations
- Centralize MariaDB error logs and wsrep SST logs and apply parsers that flag shell metacharacters in joiner parameter fields.
- Enable auditd or eBPF-based process monitoring on database hosts to capture execve calls originating from SST helper scripts.
- Track outbound network connections from the mysql service account, since legitimate database operation rarely requires arbitrary egress.
How to Mitigate CVE-2026-48163
Immediate Actions Required
- Upgrade MariaDB to a patched release: 10.6.27, 10.11.18, 11.4.12, 11.8.8, or 12.3.2.
- Restrict Galera cluster traffic, including SST ports, to a dedicated management network reachable only by authorized cluster members.
- Rotate cluster authentication material and audit recent SST events for signs of abuse before applying the patch.
Patch Information
MariaDB has released fixed builds in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. Refer to the MariaDB GitHub Security Advisory GHSA-rpgv-q6gv-684r and the MariaDB Jira issue MDEV-39648 for build metadata and changelog references.
Workarounds
- Switch the wsrep_sst_method from rsync to an alternative SST method such as mariabackup until patches are deployed, where operationally feasible.
- Enforce strict network segmentation and firewall rules so only known cluster nodes can initiate SST connections to donors.
- Run MariaDB under a hardened systemd unit with NoNewPrivileges=true, restricted SystemCallFilter, and ProtectHome=true to limit the impact of command execution.
# Configuration example - disable rsync SST and enforce mariabackup
# /etc/mysql/mariadb.conf.d/60-galera.cnf
[galera]
wsrep_sst_method=mariabackup
wsrep_sst_auth=sst_user:strong_password
# Restrict SST listener to the cluster management interface
wsrep_node_address=10.10.0.11
wsrep_sst_receive_address=10.10.0.11:4444
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
