CVE-2026-49261 CRITICAL

CVE-2026-49261: MariaDB server has unsafe parameter handling in `wsrep_notify_cmd`

Vendor Mariadb

Product server

Weakness CWE-78

Published June 11, 2026

Last update June 30, 2026

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commands embedded in the name of the joiner node. This is fixed in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. As a workaround, anyone who cannot upgrade now should disable `wsrep_notify_cmd`.

Key dates

02Disclosure timeline

June 11, 2026 CVE published

June 30, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-49261 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2026-49261

CWE CWE-78

CVSS 10.0 / CRITICAL

Affected versions

Vendor Mariadb

Product server

Affected >= 10.6.1, < 10.6.27

Vendor Mariadb

Product server

Affected >= 10.11.1, < 10.11.18

Vendor Mariadb

Product server

Affected >= 11.4.1, < 11.4.12

Vendor Mariadb

Product server

Affected >= 11.8.1, < 11.8.8

Vendor Mariadb

Product server

Affected = 12.3.1

CVE-2026-49261: MariaDB server has unsafe parameter handling in `wsrep_notify_cmd`

01Description

02Disclosure timeline

03References

04Related CVE