OS Command Injection in MariaDB - CVE-2026-44170
Published: May 19, 2026
Vulnerability identifier: #VU131784
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-44170
CWE-ID: CWE-78
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Debian
Affected software:
MariaDB
MariaDB
Detailed vulnerability description
The vulnerability allows a local user to execute arbitrary commands on the server.
The vulnerability exists due to command injection in CONNECT REST Xcurl on Windows when interpolating the table HTTP attribute into the curl command line. A local user can supply a crafted URL value to execute arbitrary commands on the server.
Only MariaDB installations on Windows with the CONNECT engine installed and REST support enabled are vulnerable.
How to mitigate CVE-2026-44170
Install security update from vendor's website.