MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with wsrep_notify_cmd enabled would execute shell commands embedded in the name of the joiner node. This is fixed in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. As a workaround, anyone who cannot upgrade now should disable wsrep_notify_cmd.
{
"cwe_ids": [
"CWE-78"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49261.json",
"cna_assigner": "GitHub_M"
}{
"extracted_events": [
{
"introduced": "10.6.1"
},
{
"fixed": "10.6.27"
},
{
"introduced": "10.11.1"
},
{
"fixed": "10.11.18"
},
{
"introduced": "11.4.1"
},
{
"fixed": "11.4.12"
},
{
"introduced": "11.8.1"
},
{
"fixed": "11.8.8"
},
{
"introduced": "12.3.1"
},
{
"last_affected": "12.3.1"
}
],
"cpe": [
"cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*",
"cpe:2.3:a:mariadb:mariadb:12.3.1:*:*:*:*:*:*:*"
],
"source": [
"CPE_RANGE",
"CPE_STRING"
]
}[
{
"target": {
"file": "plugin/feedback/utils.cc"
},
"digest": {
"line_hashes": [
"83555093190689620275821073838593397976",
"143165154904281853743473853789182958881",
"63999986304963433756283349979408037597",
"11928305571998280801094324365008482859"
],
"threshold": 0.9
},
"id": "CVE-2026-49261-2a00d700",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/mariadb/server/commit/46a8eb42a520193686d9a16d4cea4b3e002917e4"
}
]
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-49261.json"
"2026-07-15T00:14:44Z"