HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-44170Published Modified CNA GitHub_M

CVE-2026-44170: MariaDB: Argument injection in CONNECT REST Xcurl on Windows via unsanitized URL

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP attribute into the curl command line without proper sanitizing. This allows the user to execute shell commands on the server. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Argument injection in the MariaDB CONNECT engine's REST support on Windows allows an authenticated database user to inject arbitrary arguments into an underlying curl command line. The vulnerability is reachable over the network and requires only a low-privilege database account. Successful exploitation gives the attacker full remote code execution on the server, with high impact on confidentiality, integrity, and availability across the scope boundary. Patched-image rebuilds at versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built Windows-based MariaDB images in connected registries and CI pipelines. Any image whose MariaDB version falls within the affected ranges is flagged immediately.

Available
Triage

HarborGuard scores this finding at CVSS 9.9 Critical and applies per-environment compliance policy weighting to determine urgency and routing. Findings are surfaced to the team or inbox configured by each customer org, with the severity label and affected version range attached for immediate context.

Available
Patch

Because upstream fixes exist at versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2, a patched-image rebuild at the appropriate fixed version becomes available in HarborGuard as soon as image build prerequisites are satisfied. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs the configured regression suite against the new image, and opens a pull request against affected workloads.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The MariaDB service must be reachable over the network; an attacker connects remotely to issue the malicious table definition.

  • AuthenticationRequired

    A low-privilege MariaDB account is sufficient; no administrative rights are needed to define a CONNECT REST table and trigger the injection.

  • Victim interactionNot required

    No victim action is needed; the attacker exercises the injection entirely through their own authenticated session.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race condition, memory layout dependency, or special environmental state is required.

Blast Radius

  • Reads any file accessible to the MariaDB service account on the Windows host, including stored credentials, configuration files, and database data files.
  • Writes or modifies files on the server filesystem within the service account's permissions, enabling persistent backdoors or corruption of database files.
  • Executes arbitrary operating system commands on the server, allowing lateral movement, privilege escalation attempts, or exfiltration of the entire database.
  • Crashes or disrupts the MariaDB service and dependent applications by terminating processes or corrupting critical files.

How HarborGuard Handles This

Available on HarborGuard: detection of this Critical-severity vulnerability is active for all customer environments the moment the CVE entered upstream feeds. For environments running MariaDB on Windows within the affected version ranges (10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, or 12.3.1), HarborGuard can produce a rebuilt image at the relevant fixed version (10.6.26, 10.11.17, 11.4.11, 11.8.7, or 12.3.2). For customers who opt into auto-remediation, the median time from CVE publication to a merged patch PR for Critical-severity issues is around 90 minutes, covering rebuild, regression-test run, and PR creation against affected workloads. Where compliance policy requires manual approval, the rebuilt image and test results are staged and waiting for review. Because no compensating control fully neutralizes argument injection at the database layer short of upgrading, upgrading to a patched version is the primary recommended action; in the interim, restricting network access to the MariaDB port and limiting which accounts can create CONNECT tables reduces the exposure surface.

See how HarborGuard automates this
Affected packages
  • MariaDB / server
    >= 10.6.1, < 10.6.26 · >= 10.11.1, < 10.11.17 · >= 11.4.1, < 11.4.11 · >= 11.8.1, < 11.8.7 · >= 12.3.1, < 12.3.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References