MariaDB Server up to 12.3.1 joiner os command injection

Summaryinfo

A vulnerability has been found in MariaDB Server up to 10.6.25/10.11.16/11.4.10/11.8.6/12.3.1 and classified as critical. The affected element is an unknown function of the component joiner Handler. Performing a manipulation results in os command injection. This vulnerability is known as CVE-2026-44168. Remote exploitation of the attack is possible. No exploit is available. The affected component should be upgraded.

Detailsinfo

A vulnerability, which was classified as problematic, was found in MariaDB Server up to 10.6.25/10.11.16/11.4.10/11.8.6/12.3.1. This affects an unknown part of the component joiner Handler. The manipulation with an unknown input leads to a os command injection vulnerability. CWE is classifying the issue as CWE-78. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the donor side via the mariabackup SST method. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.

It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2026-44168 since 05/05/2026. The exploitability is told to be difficult. It is possible to initiate the attack remotely. The exploitation requires an enhanced level of successful authentication. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1202 according to MITRE ATT&CK.

Upgrading to version 10.6.26, 10.11.17, 11.4.11, 11.8.7 or 12.3.2 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-36514). Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Type

• Database Software

Vendor

• MariaDB

Name

• Server

Version

• 10.6.0
• 10.6.1
• 10.6.2
• 10.6.3
• 10.6.4
• 10.6.5
• 10.6.6
• 10.6.7
• 10.6.8
• 10.6.9
• 10.6.10
• 10.6.11
• 10.6.12
• 10.6.13
• 10.6.14
• 10.6.15
• 10.6.16
• 10.6.17
• 10.6.18
• 10.6.19
• 10.6.20
• 10.6.21
• 10.6.22
• 10.6.23
• 10.6.24
• 10.6.25
• 10.11.0
• 10.11.1
• 10.11.2
• 10.11.3
• 10.11.4
• 10.11.5
• 10.11.6
• 10.11.7
• 10.11.8
• 10.11.9
• 10.11.10
• 10.11.11
• 10.11.12
• 10.11.13
• 10.11.14
• 10.11.15
• 10.11.16
• 11.4.0
• 11.4.1
• 11.4.2
• 11.4.3
• 11.4.4
• 11.4.5
• 11.4.6
• 11.4.7
• 11.4.8
• 11.4.9
• 11.4.10
• 11.8.0
• 11.8.1
• 11.8.2
• 11.8.3
• 11.8.4
• 11.8.5
• 11.8.6
• 12.3.0
• 12.3.1

License

• open-source

Website

• Product: https://github.com/MariaDB/server/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion