PatchSiren cyber security CVE debrief
CVE-2026-48165 MariaDB CVE debrief
A high-privileged MariaDB user could use wsrep_sst_receive_address or wsrep_sst_donor global system variables to execute shell commands as the uid of the mariadbd process on the galera joiner node. This issue affects MariaDB server versions from 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1. The issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.
- Vendor
- MariaDB
- Product
- server
- CVSS
- HIGH 8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of MariaDB server versions from 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1 should apply the patches to prevent exploitation.
Technical summary
The vulnerability allows a high-privileged MariaDB user to execute shell commands as the uid of the mariadbd process on the galera joiner node using wsrep_sst_receive_address or wsrep_sst_donor global system variables.
Defensive priority
HIGH
Recommended defensive actions
- Apply patches: Upgrade to MariaDB server versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, or 12.3.2.
- Restrict access: Limit access to high-privileged MariaDB users.
Evidence notes
The CVE-2026-48165 record indicates a HIGH severity vulnerability with a CVSS score of 8.
Official resources
CVE-2026-48165 was published on 2026-06-12T18:16:35.177Z.