CVE-2026-48165: MariaDB Server RCE Vulnerability

CVE-2026-48165 Overview

CVE-2026-48165 is a command injection vulnerability in MariaDB server, the community-developed fork of MySQL. The flaw allows a high-privileged MariaDB user to abuse the wsrep_sst_receive_address and wsrep_sst_donor global system variables to execute shell commands. Commands run with the user ID (UID) of the mariadbd process on the Galera joiner node. The issue affects MariaDB versions 10.6.1 through 12.3.1 and has been patched in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. The vulnerability is categorized under [CWE-78] OS Command Injection.

Critical Impact
A privileged database user can execute arbitrary shell commands as the mariadbd service account on Galera cluster joiner nodes, leading to full host compromise.

Affected Products

MariaDB versions 10.6.1 to before 10.6.27
MariaDB versions 10.11.1 to before 10.11.18, and 11.4.1 to before 11.4.12
MariaDB versions 11.8.1 to before 11.8.8, and 12.3.1

Discovery Timeline

2026-06-12 - CVE-2026-48165 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-48165

Vulnerability Analysis

The vulnerability resides in MariaDB's Galera cluster State Snapshot Transfer (SST) subsystem. Galera uses SST to synchronize a joining node with the cluster by streaming data from a donor node. Two global system variables, wsrep_sst_receive_address and wsrep_sst_donor, configure how the joiner receives data and which donor supplies it.

MariaDB passes the values of these variables to shell processes that invoke SST scripts. The server does not sanitize shell metacharacters before constructing the command line. An authenticated user with SUPER or equivalent privileges can set these variables to values containing shell injection payloads. When SST is triggered, the malicious payload executes as the mariadbd process UID on the joiner node.

Root Cause

The root cause is improper neutralization of special elements used in an OS command [CWE-78]. The wsrep_sst_receive_address and wsrep_sst_donor variables are concatenated into shell command strings without quoting or escaping. Galera SST scripts execute through a shell, allowing metacharacters such as ;, |, `, and $() to break out of the intended argument context.

Attack Vector

Exploitation requires high privileges on the MariaDB instance, network access to issue SQL statements, and an active or triggerable Galera cluster. The attacker sets one of the vulnerable global variables to a crafted string containing a command substitution or chained command. When the joiner node initiates SST, the shell expands the injected payload and runs it under the mariadbd UID.

The consequence is command execution on the joiner host with database service privileges, enabling credential theft, lateral movement within the cluster, and persistence on the underlying operating system. See the MariaDB GitHub Security Advisory GHSA-7v3p-h23x-8hwv and MariaDB JIRA Issue MDEV-39676 for vendor technical details.

Detection Methods for CVE-2026-48165

Indicators of Compromise

Unexpected child processes spawned by mariadbd, particularly shells (/bin/sh, /bin/bash) or utilities such as curl, wget, nc, or python.
Modifications to wsrep_sst_receive_address or wsrep_sst_donor containing shell metacharacters (;, |, `, $(), &&).
SST script execution logs in wsrep_sst*.log containing unexpected command fragments or errors referencing injected payloads.

Detection Strategies

Audit MariaDB general query logs for SET GLOBAL wsrep_sst_receive_address or SET GLOBAL wsrep_sst_donor statements with non-standard values.
Monitor process ancestry on Galera nodes to detect mariadbd parenting non-SST binaries or interactive shells.
Review Galera state transfer events correlated with privileged session activity from non-administrative source IPs.

Monitoring Recommendations

Enable MariaDB audit plugin logging for SET GLOBAL statements affecting wsrep_* variables.
Forward MariaDB error logs and SST script output to a centralized SIEM with alerting on shell metacharacter patterns.
Track outbound network connections originating from database hosts to detect post-exploitation command-and-control activity.

How to Mitigate CVE-2026-48165

Immediate Actions Required

Upgrade MariaDB to a patched version: 10.6.27, 10.11.18, 11.4.12, 11.8.8, or 12.3.2.
Restrict the SUPER and SYSTEM_VARIABLES_ADMIN privileges to a minimal set of administrative accounts.
Rotate credentials for any account with the ability to set global Galera variables if compromise is suspected.

Patch Information

MariaDB has released fixed versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. Apply the upgrade across all Galera cluster nodes, prioritizing joiner-eligible hosts. Refer to the MariaDB GitHub Security Advisory GHSA-7v3p-h23x-8hwv for release notes and upgrade procedures.

Workarounds

Limit privileged database accounts and enforce strict role-based access control to prevent setting wsrep_sst_* variables.
Run mariadbd under a dedicated low-privilege service account with restrictive file system and network permissions.
Apply mandatory access controls such as SELinux or AppArmor profiles to constrain shell execution by the database process.

bash

# Verify the running MariaDB version and check current Galera SST settings
mysql -u root -p -e "SELECT VERSION();"
mysql -u root -p -e "SHOW GLOBAL VARIABLES LIKE 'wsrep_sst_%';"

# Audit accounts holding privileges that allow modifying global variables
mysql -u root -p -e "SELECT user, host FROM mysql.global_priv \
  WHERE JSON_EXTRACT(Priv, '$.access') LIKE '%SUPER%';"