Executive Summary

CVE-2026-48165 is a vulnerability in MariaDB server where a high-privileged user with SUPER privileges can exploit improper sanitization of the global system variables wsrep_sst_receive_address and wsrep_sst_donor.

These variables are used to construct shell commands on the Galera joiner node, but because they are not properly validated, an attacker can inject arbitrary shell commands.

This allows execution of shell commands with the privileges of the mariadbd process, potentially leading to serious security risks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized execution of arbitrary shell commands on the database server.

• Compromise of confidentiality by accessing sensitive data.
• Compromise of integrity by modifying or deleting data.
• Compromise of availability by disrupting database services.

Because the attack requires high privileges but can be executed remotely over the network, it poses a significant risk to affected systems.

Useful 0 Not Useful 0

Detection Guidance

To detect this vulnerability on your system, you should first identify the MariaDB server version running on your system to check if it falls within the vulnerable ranges: 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, or 12.3.1.

You can check the MariaDB version by running the following command in your database client or terminal:

• mysql -u root -p -e 'SELECT VERSION();'

Additionally, to detect if the vulnerable global system variables wsrep_sst_receive_address or wsrep_sst_donor have been modified or are set to suspicious values, you can query their current values:

• mysql -u root -p -e "SHOW GLOBAL VARIABLES LIKE 'wsrep_sst_receive_address';"
• mysql -u root -p -e "SHOW GLOBAL VARIABLES LIKE 'wsrep_sst_donor';"

Monitoring for unusual or unexpected shell command executions by the mariadbd process or checking logs for suspicious activity related to these variables may also help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation step is to upgrade your MariaDB server to a patched version where this vulnerability is fixed. The patched versions are 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.

If upgrading immediately is not possible, restrict the privileges of MariaDB users to prevent high-privileged users from modifying the wsrep_sst_receive_address and wsrep_sst_donor global system variables.

Additionally, monitor and audit changes to these variables and the activities of the mariadbd process to detect any suspicious command execution attempts.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows a high-privileged MariaDB user to execute arbitrary shell commands with the privileges of the mariadbd process, potentially leading to unauthorized access or control over the database server.

Such unauthorized command execution can compromise the confidentiality, integrity, and availability of sensitive data managed by MariaDB, which may include personal or protected health information.

As a result, this vulnerability could negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to prevent unauthorized access and ensure data security.

Useful 0 Not Useful 0