{"id":"CVE-2026-49261","summary":"MariaDB server has unsafe parameter handling in `wsrep_notify_cmd`","details":"MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with  `wsrep_notify_cmd` enabled would execute shell commands embedded in the name of the joiner node. This is fixed in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. As a workaround, anyone who cannot upgrade now should disable `wsrep_notify_cmd`.","aliases":["BIT-mariadb-2026-49261","BIT-mariadb-min-2026-49261","BIT-mysql-client-2026-49261","GHSA-3p3m-4x7c-p4pw"],"modified":"2026-06-19T04:01:25.669267172Z","published":"2026-06-11T17:13:20.776Z","related":["SUSE-SU-2026:22095-1","SUSE-SU-2026:2282-1","SUSE-SU-2026:2284-1","SUSE-SU-2026:2330-1","openSUSE-SU-2026:10934-1","openSUSE-SU-2026:20933-1"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-78"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49261.json"},"references":[{"type":"WEB","url":"https://jira.mariadb.org/browse/MDEV-39721"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49261.json"},{"type":"ADVISORY","url":"https://github.com/MariaDB/server/security/advisories/GHSA-3p3m-4x7c-p4pw"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49261"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mariadb/server","events":[{"introduced":"00a8357bd30fdfca23720448a3f638290b6d35b7"},{"fixed":"b2050fdb4a8776422baf01a41bf86845994edb97"},{"introduced":"2437674291f31c91869a74eb6ebd9f03dc52bd43"},{"fixed":"197f92bee02d8e836f529f37625be69b83e7acbd"},{"introduced":"fa69b085b10f19a3a8b6e7adab27c104924333ae"},{"fixed":"b4a80422bfeec93079a430c080fffbda8f6fa574"},{"introduced":"1c4aed7c680c0402d6e97e097f03815c0e9bf4c5"},{"fixed":"46a8eb42a520193686d9a16d4cea4b3e002917e4"},{"introduced":"0"}],"database_specific":{"extracted_events":[{"introduced":"10.6.1"},{"fixed":"10.6.27"},{"introduced":"10.11.1"},{"fixed":"10.11.18"},{"introduced":"11.4.1"},{"fixed":"11.4.12"},{"introduced":"11.8.1"},{"fixed":"11.8.8"},{"introduced":"0"},{"last_affected":"12.3.1"}],"source":["CPE_RANGE","CPE_STRING"],"cpe":["cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*","cpe:2.3:a:mariadb:mariadb:12.3.1:*:*:*:*:*:*:*"]}}],"versions":["mariadb-10.11.17","mariadb-11.8.7b","mariadb-11.4.11b","mariadb-10.6.26","mariadb-11.8.7","mariadb-11.4.11","mariadb-10.11.14","mariadb-11.8.6","mariadb-10.11.16","mariadb-11.4.10","mariadb-10.6.25","mariadb-11.8.4","mariadb-11.4.9","mariadb-10.11.15","mariadb-10.6.24","mariadb-11.8.3","mariadb-10.6.23","mariadb-11.4.8","mariadb-10.11.13","mariadb-11.8.2","mariadb-10.6.20","mariadb-11.4.7","mariadb-10.6.5","mariadb-10.11.12","mariadb-11.4.6","mariadb-10.6.22","mariadb-10.11.11","mariadb-11.8.1","mariadb-11.4.5","mariadb-10.6.21","mariadb-11.4.4","mariadb-10.6.18","mariadb-10.11.10","mariadb-11.4.3","mariadb-10.11.8","mariadb-10.11.9","mariadb-10.6.19","mariadb-10.6.17","mariadb-11.4.2","mariadb-11.4.1","mariadb-10.11.7","mariadb-10.11.6","mariadb-10.6.16","mariadb-10.6.12","mariadb-10.6.14","mariadb-10.6.13","mariadb-10.6.11","mariadb-10.6.8","mariadb-10.6.9","mariadb-10.11.2","mariadb-10.11.1","mariadb-10.6.10","mariadb-10.6.6","mariadb-10.6.4","mariadb-10.6.3","mariadb-10.6.2","mariadb-10.6.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-49261.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}]}