CVE-2026-44170

Vulnerability

MariaDB on Windows, with the CONNECT engine installed and REST support enabled, versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, contains an argument injection vulnerability. The CONNECT engine interpolation of the table HTTP attribute is unsanitized and placed directly into a curl command line via sprintf(cmd, "curl \"%s\" -o \"%s\"", buf, filename); then executed with CreateProcess(NULL, cmd, ...) [1][2]. This allows an attacker to inject additional command-line arguments or shell commands through the HTTP attribute.

Exploitation

An attacker must have the ability to create or alter a table using the CONNECT engine with REST support on a MariaDB server running on Windows. The attacker provides a malicious HTTP attribute value in the table definition (e.g., via CREATE TABLE ... ENGINE=CONNECT ... or ALTER TABLE) containing shell metacharacters or curl arguments. When the server constructs and executes the curl command, the injected string is interpreted as additional arguments or commands, enabling arbitrary shell execution [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary shell commands on the MariaDB server with the privileges of the MariaDB process. This can lead to full compromise of the database server, including data exfiltration, modification, or further lateral movement within the Windows environment [2].

Mitigation

The vulnerability is patched in MariaDB versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2 [1][2]. No workarounds are documented; users should upgrade to a fixed version immediately.