Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Critical Vulnerabilities in MariaDB Community Server

17 June 2026

Attackers can exploit critical vulnerabilities in MariaDB Community Server to execute arbitrary shell commands on the affected system. Patch immediately.

Background

MariaDB has released security updates to address multiple vulnerabilities (CVE-2026-49261, CVE-2026-48165, CVE-2026-48163, and CVE-2026-44168) affecting MariaDB Community Server with Galera Cluster (wsrep) enabled. 

The following vulnerabilities have a Common Vulnerability Scoring System (CVSS v3.1) score of: CVE-2026-49261 at 10.0, CVE-2026-48165, CVE-2026-48163, and CVE-2026-44168 at 8.0, out of 10.

Impact

Successful exploitation of these vulnerabilities could lead to the following:

  • CVE-2026-49261: On systems with wsrep_notify_cmd enabled, an attacker could embed shell commands in the name of a joiner node, resulting in the execution of arbitrary shell commands on the affected system.

  • CVE-2026-48165: A high-privileged MariaDB user could use the wsrep_sst_receive_address or wsrep_sst_donor global system variables to execute shell commands as the uid of the mariadbd process on the Galera joiner node.

  • CVE-2026-48163: During State Snapshot Transfer (SST), a malicious joiner could send unvalidated parameters that are interpolated into the command line on the donor node, resulting in the execution of arbitrary shell commands on the donor side via the rsync SST method.

  • CVE-2026-44168: During State Snapshot Transfer (SST), a malicious joiner could send unvalidated parameters that are interpolated into the command line on the donor node, resulting in the execution of arbitrary shell commands on the donor side via the mariabackup SST method.

Affected Products

These vulnerabilities affect MariaDB Community Server in the following versions:

For CVE-2026-49261:

  • MariaDB 10.6: versions 10.6.1 through 10.6.26

  • MariaDB 10.11: versions 10.11.1 through 10.11.17

  • MariaDB 11.4: versions 11.4.1 through 11.4.11

  • MariaDB 11.8: versions 11.8.1 through 11.8.7

  • MariaDB 12.3: version 12.3.1

For CVE-2026-48165 and CVE-2026-48163:

  • MariaDB 10.6: versions 10.6.1 to before 10.6.27

  • MariaDB 10.11: versions 10.11.1 to before 10.11.18

  • MariaDB 11.4: versions 11.4.1 to before 11.4.12

  • MariaDB 11.8: versions 11.8.1 to before 11.8.8

  • MariaDB 12.3: version 12.3.1

For CVE-2026-44168:

  • MariaDB 10.6: versions 10.6.1 to before 10.6.26

  • MariaDB 10.11: versions 10.11.1 to before 10.11.17

  • MariaDB 11.4: versions 11.4.1 to before 11.4.11

  • MariaDB 11.8: versions 11.8.1 to before 11.8.7

  • MariaDB 12.3: version 12.3.1

Recommendations

Users and administrators of affected products are advised to update to the latest versions immediately. As an interim measure, users and administrators who are unable to update immediately should disable wsrep_notify_cmd to mitigate CVE-2026-49261.

References

https://mariadb.com/docs/server/security/cve/community-server

https://nvd.nist.gov/vuln/detail/CVE-2026-49261

https://nvd.nist.gov/vuln/detail/CVE-2026-48165

https://nvd.nist.gov/vuln/detail/CVE-2026-48163

https://nvd.nist.gov/vuln/detail/CVE-2026-44168

Back to top