PatchSiren cyber security CVE debrief
CVE-2026-48163 MariaDB CVE debrief
CVE-2026-48163 is a high-severity vulnerability in MariaDB server, a community-developed fork of MySQL server. The vulnerability affects versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1. During the SST (Semi-Synchronous Replication) process, the donor node interpolates parameters sent by the joiner into the command line. However, not all parameters were properly validated, allowing a malicious joiner to execute arbitrary shell commands on the donor side via the rsync SST method. This issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.
- Vendor
- MariaDB
- Product
- server
- CVSS
- HIGH 8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of MariaDB server versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1 should be aware of this vulnerability and take immediate action to upgrade to a patched version.
Technical summary
The vulnerability is caused by improper validation of parameters sent by the joiner during the SST process. This allows a malicious joiner to execute arbitrary shell commands on the donor side via the rsync SST method. The CVSS score for this vulnerability is 8, indicating a high severity.
Defensive priority
high
Recommended defensive actions
- Upgrade to a patched version of MariaDB server (10.6.27, 10.11.18, 11.4.12, 11.8.8, or 12.3.2) as soon as possible.
- Ensure that only trusted joiners are allowed to connect to the donor node during the SST process.
Evidence notes
The CVE-2026-48163 vulnerability was published on June 12, 2026, and has a CVSS score of 8, indicating a high severity. The vulnerability affects multiple versions of MariaDB server.
Official resources
CVE-2026-48163 was published on 2026-06-12T18:16:35.037Z