CVE-2026-44169
Received Received - Intake
Information Disclosure in MariaDB Server

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
MariaDB server is a community developed fork of MySQL server. From versions 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, a user getting EXECUTE access to a stored routine via a role, could see the routine definition even without SHOW CREATE ROUTINE privilege. This issue has been patched in versions 11.4.11, 11.8.7, and 12.3.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-44169
EUVD
EUVD-2026-36515
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
mariadb mariadb to 11.4.11 (exc)
mariadb mariadb to 11.8.7 (exc)
mariadb mariadb to 12.3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in MariaDB server affects versions 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1. It allows a user who has EXECUTE access to a stored routine via a role to view the routine's definition even if they do not have the SHOW CREATE ROUTINE privilege. Essentially, the authorization check that should restrict access to the routine's definition is bypassed when privileges are granted through roles.

The issue was caused by an incorrect enforcement of authorization checks related to role-based privileges and was fixed in later versions 11.4.11, 11.8.7, and 12.3.2.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of stored routine definitions in MariaDB. Users who should only have EXECUTE access via roles might gain visibility into the underlying code or logic of stored procedures without proper privileges.

Such exposure could potentially reveal sensitive business logic, proprietary algorithms, or other confidential information embedded in the routines, which could be exploited by attackers or unauthorized users.

The vulnerability has a moderate severity with a CVSS score of 4.3, indicating that it requires low privileges and no user interaction, and can be exploited remotely over the network.

Detection Guidance

This vulnerability involves users with EXECUTE access to stored routines via roles being able to view routine definitions without the SHOW CREATE ROUTINE privilege.

To detect this vulnerability, you can check the MariaDB server version to see if it falls within the affected ranges: 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1.

Additionally, you can test if a user with EXECUTE privilege granted via a role can run SHOW CREATE PROCEDURE or SHOW CREATE FUNCTION commands to view routine definitions without having the SHOW CREATE ROUTINE privilege.

Example commands to check version and privileges:

  • SHOW VARIABLES LIKE 'version'; -- to check MariaDB version
  • SHOW GRANTS FOR 'user'@'host'; -- to check user privileges and roles
  • SET ROLE 'role_name'; SHOW CREATE PROCEDURE procedure_name; -- to test if routine definition is visible without SHOW CREATE ROUTINE privilege
Mitigation Strategies

The primary mitigation is to upgrade MariaDB server to a patched version where this vulnerability is fixed.

  • Upgrade to MariaDB versions 11.4.11, 11.8.7, or 12.3.2 or later.

Until the upgrade can be performed, review and restrict EXECUTE privileges granted via roles to trusted users only, as the vulnerability allows those users to view routine definitions without proper authorization.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44169. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart