CVE-2026-49261
Description
MariaDB with wsrep_notify_cmd enabled executes shell commands from the joiner node name, leading to pre-auth RCE as the database user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MariaDB with wsrep_notify_cmd enabled executes shell commands from the joiner node name, leading to pre-auth RCE as the database user.
Vulnerability
A command injection vulnerability exists in the MariaDB server, a community-developed fork of MySQL. The wsrep_notify_cmd functionality, when enabled, fails to sanitize peer-supplied fields such as wsrep_node_name and wsrep_node_incoming_address before interpolating them into the notification command line [1], [2]. Affected versions are 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 [1], [2].
Exploitation
An attacker acting as a joiner node in a Galera cluster can embed arbitrary shell commands in the node name. If the target server has wsrep_notify_cmd enabled, the server will execute the command with the privileges of the MariaDB process when processing the joiner node's name [1], [2]. No authentication is required; the attacker only needs network access to initiate a Galera connection.
Impact
Successful exploitation allows remote, unauthenticated attackers to execute arbitrary operating system commands on the MariaDB server. This can lead to full compromise of the database server, including data exfiltration, modification, or deletion, and potentially lateral movement within the network [1], [2]. The vulnerability is rated Critical with a CVSS v3 score of 10.0.
Mitigation
The fixed versions are 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2 [1], [2]. As a temporary workaround, administrators who cannot immediately upgrade should disable wsrep_notify_cmd [1], [2].
AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- osv-coords3 versionspkg:rpm/opensuse/mariadb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/mariadb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/mariadb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP7
< 11.8.8-1.1+ 2 more
- (no CPE)range: < 11.8.8-1.1
- (no CPE)range: < 11.8.8-150700.3.15.1
- (no CPE)range: < 11.8.8-150700.3.15.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation in wsrep_notify_status() allows shell metacharacters in peer-supplied node name and incoming address fields to be interpolated verbatim into a shell command."
Attack vector
An unauthenticated remote attacker can join a Galera cluster as a new node, setting the `wsrep_node_name` or `wsrep_node_incoming_address` to contain shell metacharacters. When any existing cluster member that has `wsrep_notify_cmd` enabled processes the join notification, it executes the crafted string via `sh -c`, allowing arbitrary command injection [ref_id=1]. The CVSS vector indicates network-based exploitation with no authentication required and high impact on confidentiality, integrity, and availability.
Affected code
The vulnerability resides in the `wsrep_notify_status()` function, which interpolates `members[i].name()` (the peer's `wsrep_node_name`) and `members[i].incoming()` (the peer's `wsrep_node_incoming_address`) verbatim into a command string executed via `sh -c`. The patch adds validation to reject values containing shell-significant characters before substitution, mirroring the `safe()` function in `scripts/wsrep_sst_common.sh`.
What the fix does
The fix validates both `wsrep_node_name` and `wsrep_node_incoming_address` before substitution, rejecting values containing shell-significant characters and skipping the notification if invalid characters are found [ref_id=1]. This mirrors the `safe()` function already used in `scripts/wsrep_sst_common.sh` for similar SST-related sanitization. The patch does not show the exact diff, but the advisory confirms the solution is to reject shell-significant characters rather than attempting to escape them.
Preconditions
- configThe target cluster member must have wsrep_notify_cmd configured and enabled.
- networkThe attacker must be able to join the Galera cluster as a new node (network access to the cluster).
- inputThe attacker controls the wsrep_node_name or wsrep_node_incoming_address fields of their joining node.
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.