← All CVEs

CVE-2026-49261

CRITICAL 10

Published 2026-06-11 · Last modified 2026-07-01

MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commands embedded in the name of the joiner node. This is fixed in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. As a workaround, anyone who cannot upgrade now should disable `wsrep_notify_cmd`.

ELEVATED IMPACT

Severe if exploited (CVSS 10), but no known exploitation and low modeled probability. Patch on a normal cadence.

Exploitation likelihood

1.0%chance of exploitation in 30 days · 58th percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

10CVSS 3.1 · CRITICAL

  • ConfidentialityHigh
  • IntegrityHigh
  • AvailabilityHigh

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: No account or privileges required
  • User interaction: No user interaction needed
  • Complexity: No special conditions — reliably repeatable

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Mariadb Red Hat

Products Server Red Hat Enterprise Linux Appstream (V. 10) Red Hat Enterprise Linux Appstream (V. 8) Red Hat Enterprise Linux Appstream (V. 9) Red Hat Hardened Images Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 9

Weakness (CWE)

  • CWE-78: OS command injection

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Sources: NVD · CVE.org · EPSS