CVE-2026-44168

Vulnerability

In MariaDB server versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, the wsrep_sst_mariabackup method on the donor side interpolates parameters sent by the joiner into the command line without proper validation [1][2]. Affected versions are those that support Galera SST using mariabackup.

Exploitation

An attacker with network access to initiate a State Snapshot Transfer (SST) as a joiner can send crafted parameters (for example, a malicious CommonName in the SSL certificate) to the donor node [1]. The donor node interpolates these parameters into a shell command line without sanitization, enabling the attacker to inject arbitrary shell commands [2].

Impact

Successful exploitation allows the attacker to execute arbitrary shell commands on the donor node with the privileges of the MariaDB process, typically leading to full compromise of the donor server [2].

Mitigation

The vulnerability has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2 [1][2]. Users should upgrade to the latest fixed version. No workaround has been disclosed; users unable to upgrade restrict network access to trusted nodes only.