How is CVE-2026-44168 exploited?

Network reachability (required): The attacker must reach the MariaDB Galera cluster replication interface over the network, as the SST mechanism is exposed to joiner nodes communicating across the network. Authentication (required): A high-privilege (admin-level) MariaDB account is needed for the malicious joiner node to participate in the SST handshake and supply crafted parameters to the donor. Victim interaction (not-required): No human interaction is required; the exploit is triggered automatically when the donor node processes SST parameters supplied by the malicious joiner. Attack complexity (info): Exploitation is rated High complexity, meaning the attacker may need to satisfy specific environmental conditions or timing constraints, such as orchestrating a legitimate-looking joiner node join event against a reachable donor.

What is the impact of CVE-2026-44168?

The attacker executes arbitrary shell commands on the donor node with the privileges of the MariaDB process, giving full operating-system-level access to that host. All database files accessible to the MariaDB process on the donor are readable, exposing stored table data, credentials, and configuration secrets. The attacker can modify or delete database files and host filesystem contents, corrupting persisted data across the affected cluster member. The donor node service can be crashed or rendered unavailable, disrupting cluster replication and potentially stalling the entire Galera cluster.

Back to search

HIGHCVE-2026-44168Published 2026-06-12Modified 2026-06-16CNA GitHub_M

CVE-2026-44168: MariaDB: wsrep SST unsafe parameter handling on the donor side

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the donor side via the mariabackup SST method. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.

CVSS v3.1: 8.0
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a command injection vulnerability in MariaDB server affecting the Galera cluster State Snapshot Transfer (SST) process, specifically the mariabackup SST method. The donor node (the cluster member sending database state to a new joiner) interpolates parameters received from the joiner into a shell command line without fully validating them, allowing a malicious joiner node to inject arbitrary shell commands that execute on the donor. Exploitation requires network access to the cluster replication port and a high-privilege (admin-level) account, but success grants the attacker full control over the donor host. Patched versions (10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2) exist upstream, and patched-image rebuilds at those versions are available on HarborGuard for environments running an affected MariaDB release.

HarborGuard Coverage

Detection

Detection of CVE-2026-44168 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle any of the affected MariaDB version ranges. Coverage extends to images in connected registries and images built inline through customer CI pipelines.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.0 HIGH and surfacing it with per-environment compliance policy weighting, so teams with stricter baselines for database infrastructure can receive elevated priority routing. Triage routing to the appropriate team inbox inside each customer organization is available based on image ownership and policy configuration.

Available

Patch

Because upstream fix versions exist (10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2), a patched-image rebuild at the applicable fix version becomes available on HarborGuard for any customer environment found to be running an affected MariaDB release. For customers who opt into auto-remediation, HarborGuard is capable of performing the rebuild, running a regression test pass, and opening a pull request against affected workloads automatically, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in environments with auto-remediation enabled.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the MariaDB Galera cluster replication interface over the network, as the SST mechanism is exposed to joiner nodes communicating across the network.
AuthenticationRequired
A high-privilege (admin-level) MariaDB account is needed for the malicious joiner node to participate in the SST handshake and supply crafted parameters to the donor.
Victim interactionNot required
No human interaction is required; the exploit is triggered automatically when the donor node processes SST parameters supplied by the malicious joiner.
Attack complexityDetail
Exploitation is rated High complexity, meaning the attacker may need to satisfy specific environmental conditions or timing constraints, such as orchestrating a legitimate-looking joiner node join event against a reachable donor.

Blast Radius

The attacker executes arbitrary shell commands on the donor node with the privileges of the MariaDB process, giving full operating-system-level access to that host.
All database files accessible to the MariaDB process on the donor are readable, exposing stored table data, credentials, and configuration secrets.
The attacker can modify or delete database files and host filesystem contents, corrupting persisted data across the affected cluster member.
The donor node service can be crashed or rendered unavailable, disrupting cluster replication and potentially stalling the entire Galera cluster.

How HarborGuard Handles This

Available on HarborGuard: detection of this CVE is matched against customer images within minutes of advisory ingestion, covering all affected MariaDB version ranges (10.6.1 through pre-10.6.26, 10.11.1 through pre-10.11.17, 11.4.1 through pre-11.4.11, and 11.8.1 through pre-11.8.7). Because upstream patches are published, a patched-image rebuild at the appropriate fix version is available for any customer environment running an affected image. For customers who opt into auto-remediation, HarborGuard is capable of performing the rebuild, running a regression test pass, and opening a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with CVSS 8.0 HIGH severity and routes it to the team inbox configured for database image ownership, so engineers can act manually. As an interim measure while upgrades are planned, customers can evaluate network policy controls that restrict which nodes are permitted to initiate SST join requests against donor cluster members.

See how HarborGuard automates this

Affected packages

MariaDB / server
>= 10.6.1, < 10.6.26 · >= 10.11.1, < 10.11.17 · >= 11.4.1, < 11.4.11 · >= 11.8.1, < 11.8.7 · >= 12.3.1, < 12.3.2

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

References

Metrics

Get notified