Skip to main content
Mallory
Back to vulnerabilities
High

Command Injection in MariaDB mariabackup SST donor handling

IdentifiersCVE-2026-44168CWE-78· Improper Neutralization of Special…

CVE-2026-44168 is a command injection vulnerability in MariaDB Server affecting versions 10.6.1 through before 10.6.26, 10.11.1 through before 10.11.17, 11.4.1 through before 11.4.11, 11.8.1 through before 11.8.7, and 12.3.1. During State Snapshot Transfer (SST), the donor node interpolates parameters supplied by the joiner into a command line used by the mariabackup SST method. Because not all joiner-controlled parameters were properly validated, a malicious joiner can inject arbitrary shell commands that execute on the donor node.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary shell command execution on the donor MariaDB node during SST when the mariabackup SST method is used. This can lead to full compromise of the donor host in the security context of the SST-related process, including unauthorized command execution, data access or modification, service disruption, and potential further lateral movement from the donor system.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict who can operate or provision joiner nodes in replication/cluster environments, avoid using untrusted joiners, and limit SST initiation to trusted administrative workflows. Where feasible, avoid or disable the mariabackup SST method until patched, and harden donor hosts to reduce impact of shell command execution, including least-privilege execution and network segmentation between cluster members.

Remediation

Patch, then assume compromise.

Upgrade MariaDB Server to a patched release: 10.6.26 or later in the 10.6 branch, 10.11.17 or later in the 10.11 branch, 11.4.11 or later in the 11.4 branch, 11.8.7 or later in the 11.8 branch, or 12.3.2 or later in the 12.3 branch.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

7 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-44168
NVD
nvd.nist.gov/vuln/detail/CVE-2026-44168
MITRE CWE · CWE-78
Improper Neutralization of Special Elements…
github.com
github.com/MariaDB/server/security/advisories/GHSA-vwf7-w26c-9w5h
jira.mariadb.org
jira.mariadb.org/browse/MDEV-39413