SB2026051913 - Multiple vulnerabilities in MariaDB

Description

This security bulletin contains information about 5 vulnerabilities.

1) Incorrect authorization (CVE-ID: CVE-2026-44173)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to incorrect authorization in SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE handling when processing queries whose FROM clause contains only subqueries. A remote user can execute a crafted query to cause a denial of service.

The issue occurs because the FILE privilege is not verified in this query pattern.

2) OS Command Injection (CVE-ID: CVE-2026-44170)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to execute arbitrary commands on the server.

The vulnerability exists due to command injection in CONNECT REST Xcurl on Windows when interpolating the table HTTP attribute into the curl command line. A local user can supply a crafted URL value to execute arbitrary commands on the server.

Only MariaDB installations on Windows with the CONNECT engine installed and REST support enabled are vulnerable.

3) Incorrect authorization (CVE-ID: CVE-2026-44169)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose stored routine definitions.

The vulnerability exists due to incorrect authorization in role-based routine-level privilege check when checking access to stored routine definitions. A remote user can obtain EXECUTE access to a stored routine via a role to disclose stored routine definitions.

The issue exposes the routine definition even without the SHOW CREATE ROUTINE privilege.

4) Path traversal (CVE-ID: CVE-2026-44171)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a local privileged user to create files outside of the target directory.

The vulnerability exists due to path traversal in mbstream when unpacking a specially crafted archive. A local privileged user can supply a crafted archive containing /../ path elements to create files outside of the target directory.

User interaction is required to unpack the crafted archive.

5) OS Command Injection (CVE-ID: CVE-2026-44168)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary shell commands on the donor side.

The vulnerability exists due to command injection in wsrep SST donor-side parameter handling when interpolating parameters sent by the joiner into the command line. A remote privileged user can send crafted SST parameters to execute arbitrary shell commands on the donor side.

The issue occurs during state snapshot transfer and requires control of a malicious joiner node.

Remediation

Install update from vendor's website.

References

• https://github.com/MariaDB/server/security/advisories/GHSA-667j-m53j-wpmc
• https://jira.mariadb.org/browse/MDEV-39493
• https://github.com/MariaDB/server/security/advisories/GHSA-f835-cfjq-wf73
• https://jira.mariadb.org/browse/MDEV-39289
• https://github.com/MariaDB/server/security/advisories/GHSA-22xq-vq3f-87x2
• https://jira.mariadb.org/browse/MDEV-39288
• https://github.com/MariaDB/server/security/advisories/GHSA-9pjh-5hhw-65v9
• https://jira.mariadb.org/browse/MDEV-39408
• https://github.com/MariaDB/server/security/advisories/GHSA-vwf7-w26c-9w5h
• https://jira.mariadb.org/browse/MDEV-39413