HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-49261Published Modified CNA GitHub_M

CVE-2026-49261: MariaDB server has unsafe parameter handling in `wsrep_notify_cmd`

MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commands embedded in the name of the joiner node. This is fixed in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. As a workaround, anyone who cannot upgrade now should disable `wsrep_notify_cmd`.

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an OS command injection vulnerability in MariaDB Server affecting the `wsrep_notify_cmd` Galera cluster notification feature. When the feature is enabled, a remote unauthenticated attacker can embed shell commands in the name of a joining cluster node, and MariaDB will execute those commands on the server host. Successful exploitation gives the attacker full remote code execution on the database host, with the ability to read, modify, or destroy data and disrupt service. A patched-image rebuild at the fixed versions (10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2) is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle MariaDB. Any image running an affected version in the ranges listed above is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 10.0 Critical and weights it further against each environment's compliance policy, escalating findings to the team inbox configured for that customer org. Per-environment policy settings can further prioritize workloads where the Galera clustering feature is likely enabled.

Available
Patch

Because no upstream fix is currently published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainers ship a fix release. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the MariaDB Galera cluster port over the network; no prior foothold on the host is needed.

  • AuthenticationNot required

    No database credentials or OS account are needed; the malicious node name is supplied before any authentication takes place during the cluster join handshake.

  • Victim interactionNot required

    No human action is required; the server processes the malicious node name automatically when a join is initiated.

  • Attack complexityDetail

    The exploit is reliable and condition-free: sending a crafted node name triggers command execution deterministically with no race conditions or memory-layout dependencies.

Blast Radius

  • Executes arbitrary OS commands on the database server host under the privileges of the MariaDB process user.
  • Reads any file accessible to the MariaDB process, including stored credentials, configuration files, and the full database contents.
  • Writes or overwrites files on the host filesystem, enabling persistence mechanisms such as cron jobs or SSH authorized-key injection.
  • Crashes or hangs the MariaDB service, causing a full database outage for all dependent applications.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across all connected environments, flagging every image that bundles an affected MariaDB version. Because no upstream fix has been published yet, HarborGuard monitors the advisory on every ingest cycle and will generate a patched-image rebuild automatically the moment a fix version is released; for customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads. In the interim, HarborGuard surfaces the recommended compensating control directly in the finding detail: disable `wsrep_notify_cmd` in the MariaDB configuration to eliminate the vulnerable code path entirely. Additional compensating controls worth evaluating include network-policy rules that restrict which source IPs are permitted to initiate Galera cluster joins, and egress filtering on the database host to limit the impact of any command execution that does occur.

See how HarborGuard automates this
Affected packages
  • MariaDB / server
    >= 10.6.1, < 10.6.27 · >= 10.11.1, < 10.11.18 · >= 11.4.1, < 11.4.12 · >= 11.8.1, < 11.8.8 · = 12.3.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References