CVE-2026-48165

Vulnerability

A high-privileged MariaDB user with SUPER privileges can exploit unsanitized input in the global system variables wsrep_sst_receive_address and wsrep_sst_donor. These variables are used to construct shell commands during Galera cluster state snapshot transfer (SST) operations. The vulnerability affects MariaDB versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1 [1][2].

Exploitation

An attacker must have a high-privileged database account (e.g., SUPER privilege) to set the wsrep_sst_receive_address or wsrep_sst_donor variables at runtime. When a Galera node initiates an SST join, the unsanitized variable values are passed to a shell command, resulting in arbitrary command execution with the privileges of the mariadbd process (typically the mysql operating system user) on the joiner node [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary shell commands as the mariadbd process owner. This can lead to full compromise of the database server, including data exfiltration, modification, or denial of service. The attacker escalates from a high-privileged database user to an operating system user, gaining control beyond the database [2].

Mitigation

MariaDB has patched this issue in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2 [1][2]. Users should upgrade to the latest patched version for their branch. No workarounds are documented; restricting SUPER privilege or disabling Galera SST are potential mitigations but not recommended as long-term solutions.