PatchSiren cyber security CVE debrief
CVE-2026-49261 MariaDB CVE debrief
CVE-2026-49261 is a critical vulnerability in MariaDB server, a community-developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commands embedded in the name of the joiner node. This is fixed in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. As a workaround, anyone who cannot upgrade now should disable `wsrep_notify_cmd`.
- Vendor
- MariaDB
- Product
- server
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of MariaDB server versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled.
Technical summary
The vulnerability allows for remote code execution (RCE) due to improper handling of shell commands in the `wsrep_notify_cmd` feature.
Defensive priority
high
Recommended defensive actions
- Upgrade to fixed versions: 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.
- Disable `wsrep_notify_cmd` as a temporary workaround.
Evidence notes
The CVE-2026-49261 vulnerability has been confirmed by the vendor and has a CVSS score of 10, indicating critical severity.
Official resources
CVE-2026-49261 was published on 2026-06-11T18:16:26.553Z and modified on 2026-06-11T20:56:29.653Z.