CVE-2026-48163

Vulnerability

In MariaDB server versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, the donor node in a State Snapshot Transfer (SST) interpolates parameters received from the joiner into the command line without proper validation. Specifically, the wsrep_sst_rsync.sh script inserts WSREP_SST_OPT_REMOTE_USER and WSREP_SST_OPT_REMOTE_PSWD into a stunnel.conf heredoc and rsync magic file. Because these values originate from the joiner side and are not sanitized, a newline or other shell metacharacter can splice additional directives, leading to arbitrary shell command execution on the donor. [1][2]

Exploitation

An attacker must be in a position to act as a joiner node in an SST exchange, which typically requires network access to the Galera cluster and the ability to initiate an SST request. No authentication beyond the SST protocol itself is needed. The attacker crafts the WSREP_SST_OPT_REMOTE_USER or WSREP_SST_OPT_REMOTE_PSWD value to contain a newline followed by arbitrary shell commands. When the donor processes the SST request, the unvalidated value is interpolated into the shell command line, causing the injected commands to execute on the donor host. [2]

Impact

Successful exploitation allows the attacker to execute arbitrary shell commands on the donor node with the privileges of the MariaDB server process. This can lead to full compromise of the donor host, including data exfiltration, modification, or denial of service. The vulnerability has a CVSS v3 base score of 8.0 (High). [2]

Mitigation

MariaDB has patched this issue in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. The fix extends the safe() function to reject tab and newline characters and applies it to all interpolations in wsrep_sst_rsync.sh. As a workaround, removing the vulnerable wsrep_sst_rsync script from the donor host prevents use of the rsync SST method. [1][2]