CVE-2026-49261
CRITICAL 10MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commands embedded in the name of the joiner node. This is fixed in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. As a workaround, anyone who cannot upgrade now should disable `wsrep_notify_cmd`.
Severe if exploited (CVSS 10), but no known exploitation and low modeled probability. Patch on a normal cadence.
Exploitation likelihood
1.0%chance of exploitation in 30 days · 58th percentile
Impact if exploited
10CVSS 3.1 · CRITICAL
- ConfidentialityHigh
- IntegrityHigh
- AvailabilityHigh
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ✓Privileges: No account or privileges required
- ✓User interaction: No user interaction needed
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Affected
Products Server Red Hat Enterprise Linux Appstream (V. 10) Red Hat Enterprise Linux Appstream (V. 8) Red Hat Enterprise Linux Appstream (V. 9) Red Hat Hardened Images Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 9
Weakness (CWE)
- CWE-78: OS command injection
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References
Advisories
- https://access.redhat.com/errata/RHSA-2026:33412
- https://access.redhat.com/errata/RHSA-2026:33093
- https://access.redhat.com/errata/RHSA-2026:33464
- https://access.redhat.com/errata/RHSA-2026:33482
- https://access.redhat.com/errata/RHSA-2026:33481
- https://access.redhat.com/errata/RHSA-2026:25145
- https://access.redhat.com/errata/RHSA-2026:25143