CVE-2026-48163
Received Received - Intake
MariaDB Server Command Injection via SST

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the donor side via the rsync SST method. This issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-48163
EUVD
EUVD-2026-36519
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
mariadb server From 10.6.1 (inc) to 10.6.27 (exc)
mariadb server From 10.11.1 (inc) to 10.11.18 (exc)
mariadb server From 11.4.1 (inc) to 11.4.12 (exc)
mariadb server From 11.8.1 (inc) to 11.8.8 (exc)
mariadb server 12.3.1
mariadb mariadb_server From 10.6.1 (inc) to 10.6.27 (exc)
mariadb mariadb_server From 10.11.1 (inc) to 10.11.18 (exc)
mariadb mariadb_server From 11.4.1 (inc) to 11.4.12 (exc)
mariadb mariadb_server From 11.8.1 (inc) to 11.8.8 (exc)
mariadb mariadb_server 12.3.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The CVE-2026-48163 vulnerability allows a malicious joiner to execute arbitrary shell commands on the donor node during the SST process due to improper validation of parameters. This command injection vulnerability could lead to unauthorized access or control over the database server.

Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.

Specifically, if exploited, this vulnerability could lead to data breaches or unauthorized data manipulation, violating requirements for protecting personal or sensitive health information.

Therefore, organizations using affected MariaDB versions must apply patches or mitigations promptly to maintain compliance with these regulations.

Executive Summary

CVE-2026-48163 is a vulnerability in the MariaDB Galera Cluster's rsync State Snapshot Transfer (SST) method. During the SST process, the donor node interpolates parameters sent by the joiner into command lines without properly validating them. Specifically, parameters like WSREP_SST_OPT_REMOTE_USER and WSREP_SST_OPT_REMOTE_PSWD were not sanitized, allowing an attacker controlling the joiner to inject malicious content such as newlines. This could alter configuration files or execute arbitrary shell commands on the donor node.

The root cause is improper validation of user-supplied parameters leading to command injection. The issue was fixed by sanitizing these parameters to prevent multi-line values and injection attacks.

Impact Analysis

This vulnerability allows a malicious joiner node in a MariaDB Galera Cluster to execute arbitrary shell commands on the donor node during the SST process. This can lead to full compromise of the donor server, including unauthorized access, data manipulation, or disruption of database services.

Because the attack requires high privileges and network access, it is a high-severity risk with a CVSS score of 8.0. Exploitation could result in confidentiality, integrity, and availability impacts on the affected MariaDB server.

As a mitigation, removing the vulnerable rsync SST method or upgrading to patched versions prevents exploitation.

Detection Guidance

This vulnerability involves unsafe parameter handling in the wsrep_sst_rsync.sh script used during the State Snapshot Transfer (SST) process with the rsync method in MariaDB Galera Cluster.

To detect if your system is vulnerable, you can check the version of MariaDB server installed to see if it falls within the affected versions: 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, or 12.3.1.

Additionally, you can inspect the presence and usage of the wsrep_sst_rsync.sh script on the donor node, as this script is where the vulnerability exists.

Suggested commands to help detect the vulnerability include:

  • Check MariaDB version: `mysql -V` or `mariadb --version`
  • Locate the wsrep_sst_rsync.sh script: `find / -name wsrep_sst_rsync.sh 2>/dev/null`
  • Review the script for presence of unsafe parameter handling or if it has been patched (compare with known safe versions).
  • Check for unusual or suspicious entries in configuration files like stunnel.conf or rsync magic files that might indicate parameter injection.
Mitigation Strategies

Immediate mitigation steps include upgrading MariaDB server to a patched version where the vulnerability is fixed. The patched versions are 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.

If upgrading immediately is not possible, a recommended workaround is to remove or disable the vulnerable wsrep_sst_rsync.sh script on the donor host to prevent the use of the rsync SST method.

This prevents the malicious joiner from exploiting the unsafe parameter interpolation during SST.

Additionally, review and restrict access to the donor node to trusted joiners only, as the attack requires a malicious joiner with high privileges.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48163. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart