HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-48165Published Modified CNA GitHub_M

CVE-2026-48165: MariaDB: unsafe usage of `wsrep_sst_receive_address` values on the joiner side

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, a high-privileged MariaDB user could've used wsrep_sst_receive_address or wsrep_sst_donor global system variables to execute shell commands as the uid of the mariadbd process on the galera joiner node. This issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.

Metrics

CVSS v3.1
8.0
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an authenticated remote code execution vulnerability in MariaDB server, affecting Galera cluster deployments across versions 10.6.1 through 12.3.1 (see affected ranges). A high-privileged MariaDB user can set the wsrep_sst_receive_address or wsrep_sst_donor global system variables to values that cause the server process to execute arbitrary shell commands, running as the OS user of the mariadbd process on the Galera joiner node. Successful exploitation gives an attacker full control over the host process, including reads, writes, and the ability to crash or hijack the database service. Although the description references patched versions (10.6.27, 10.11.18, 11.4.12, 11.8.8, 12.3.2), no fix versions have been formally published in the CVE record yet; HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment upstream confirms availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-48165 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built MariaDB images in private registries and CI pipelines. Any image carrying an affected MariaDB version (10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, or 12.3.1) is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 8.0 (HIGH) and surfaces it with that rating in each customer's findings dashboard, weighted against the customer's own compliance policy thresholds. Routing rules then direct the finding to the appropriate team inbox within the customer org based on image ownership and policy configuration.

Available
Patch

Because no fix version has been formally confirmed in the CVE record, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream package index carries a confirmed fixed release. Where compliance policy permits, customers with auto-remediation enabled will receive the rebuilt image, a regression-test run, and a pull request opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the MariaDB service over the network to issue the malicious variable-set commands.

  • AuthenticationRequired

    A high-privileged (admin-level) MariaDB account is needed to set the wsrep_sst_receive_address or wsrep_sst_donor global system variables.

  • Victim interactionNot required

    No user interaction is needed; the attacker acts entirely through their own authenticated session.

  • Attack complexityDetail

    Attack complexity is rated HIGH, meaning the attacker must account for environmental factors or timing conditions beyond simply sending a request; exploitation is not trivially repeatable without controlling those conditions.

Blast Radius

  • The attacker executes arbitrary shell commands as the OS user running the mariadbd process, gaining a foothold on the underlying host.
  • Full confidentiality impact: the attacker reads any file accessible to the mariadbd process, including database data files, configuration, and credentials stored on disk.
  • Full integrity impact: the attacker writes or modifies files and database contents accessible to the mariadbd process, including persisted table data and server configuration.
  • Full availability impact: the attacker can crash, disable, or hijack the database service, causing a complete loss of database availability for dependent applications.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked on every ingest cycle because no formally confirmed fix version appears in the CVE record at this time. The description references upstream patch releases (10.6.27, 10.11.18, 11.4.12, 11.8.8, 12.3.2), and HarborGuard will automatically trigger a patched-image rebuild the moment those versions are confirmed in the upstream package index. In the meantime, recommended compensating controls include network-policy isolation that restricts which clients can reach the MariaDB port (limiting the pool of accounts that can issue global variable changes), restricting SUPER or SYSTEM_VARIABLES_ADMIN privilege grants to the minimum necessary accounts, and reviewing Galera SST configuration to ensure wsrep_sst_receive_address is set to a known-safe value. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and PR against affected workloads will be generated automatically once a confirmed fixed version is available.

See how HarborGuard automates this
Affected packages
  • MariaDB / server
    >= 10.6.1, < 10.6.27 · >= 10.11.1, < 10.11.18 · >= 11.4.1, < 11.4.12 · >= 11.8.1, < 11.8.8 · >= 12.3.1, < 12.3.2
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
References