HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-48163Published Modified CNA GitHub_M

CVE-2026-48163: MariaDB: wsrep SST unsafe parameter handling on the donor side (rsync)

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the donor side via the rsync SST method. This issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.

Metrics

CVSS v3.1
8.0
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a command injection vulnerability in MariaDB server affecting the rsync-based SST (State Snapshot Transfer) mechanism used during Galera cluster node synchronization. An attacker controlling a joiner node can send crafted, insufficiently validated parameters that the donor node interpolates directly into a shell command line, allowing arbitrary shell command execution on the donor. Successful exploitation gives the attacker full control over the donor node, including read/write access to all database data and the ability to disrupt service. No fix versions have been published upstream yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-48163 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle MariaDB server in the affected version ranges.

Available
Triage

HarborGuard scores this CVE at CVSS 8.0 HIGH (v3.1) and weights it against each environment's compliance policy to determine routing priority. Triage tickets are routed to the appropriate inbox within the customer org based on image ownership and policy configuration.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version appears upstream. In the interim, customers can use HarborGuard policy controls to flag all images containing affected MariaDB versions for manual review and block promotion to production.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the MariaDB Galera cluster replication port over the network to act as a joiner node presenting malicious SST parameters to the donor.

  • AuthenticationRequired

    The attacker must hold admin or privileged cluster credentials sufficient to participate in Galera SST negotiation as a joiner node.

  • Victim interactionNot required

    No human interaction is needed; the donor processes the joiner's SST parameters automatically as part of the cluster synchronization flow.

  • Attack complexityDetail

    Exploitation requires the attacker to control or impersonate a joiner node and craft specific SST parameters, introducing environmental setup complexity beyond a simple one-step request.

Blast Radius

  • Executes arbitrary shell commands on the donor MariaDB node with the privileges of the database process, giving full control over that host.
  • Reads all data stored in the donor's databases, including tables, credentials, and any files accessible to the MariaDB process user.
  • Modifies or deletes persisted database rows and files on the donor node.
  • Crashes or permanently disables the donor node, breaking Galera cluster replication and disrupting database availability for dependent workloads.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-48163 at this time, the platform continuously re-checks the advisory on every ingest cycle and will trigger a patched-image rebuild automatically as soon as a fix version is published. Until then, customers can apply compensating controls through HarborGuard policy: isolate Galera replication traffic (port 4444 for rsync SST) behind strict network policies that allow only known cluster members; consider switching the SST method from rsync to mariabackup if operationally feasible, as the injection path is specific to the rsync SST handler; and flag all images containing MariaDB versions in the affected ranges (10.6.1-10.6.26, 10.11.1-10.11.17, 11.4.1-11.4.11, 11.8.1-11.8.7, 12.3.1) to block automatic promotion to production environments. For customers with auto-remediation enabled, HarborGuard will initiate a rebuild, regression test run, and PR against affected workloads within minutes of the upstream fix becoming available.

See how HarborGuard automates this
Affected packages
  • MariaDB / server
    >= 10.6.1, < 10.6.27 · >= 10.11.1, < 10.11.18 · >= 11.4.1, < 11.4.12 · >= 11.8.1, < 11.8.8 · >= 12.3.1, < 12.3.2
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
References