CVE-2026-44173

Vulnerability

MariaDB server versions 10.6.1 to 10.6.25, 10.11.1 to 10.11.16, 11.4.1 to 11.4.10, 11.8.1 to 11.8.6, and 12.3.1 contain a privilege-check bypass in SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE statements. When the FROM clause consists solely of subqueries (derived tables), the server does not verify that the user possesses the FILE privilege. This oversight allows users with only SELECT privilege to write files to the server filesystem, contrary to intended access controls [1][2].

Exploitation

An attacker needs a valid database user account with the ability to execute SELECT statements. No FILE privilege is required. The attacker crafts a query such as SELECT * INTO OUTFILE '/tmp/evil.txt' FROM (SELECT 'hello') t; to write arbitrary content to a file. The attack is limited by filesystem permissions and the --secure-file-priv option, which restricts writable directories. No additional authentication or user interaction is needed beyond the existing database session [1][2].

Impact

Successful exploitation allows an attacker to write arbitrary data to files on the server's filesystem. This can lead to information disclosure (e.g., overwriting configuration files, planting web shells if the web server has write access), or denial of service by filling disk space. The attacker bypasses the intended FILE privilege check, escalating from a low-privileged user to a position capable of writing files. The impact is mitigated by filesystem permissions and the --secure-file-priv setting [2].

Mitigation

The vulnerability is patched in MariaDB versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2. Users should upgrade to these versions or later. As a workaround, ensure that the --secure-file-priv system variable is set to a safe directory and that filesystem permissions prevent unauthorized writes. No known exploitation in the wild or KEV listing has been reported [2].