{
  "threat_severity" : "Important",
  "public_date" : "2026-06-11T17:13:20Z",
  "bugzilla" : {
    "description" : "mariadb: MariaDB Server: Arbitrary code execution via wsrep_notify_cmd",
    "id" : "2487957",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2487957"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-78",
  "details" : [ "MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with  `wsrep_notify_cmd` enabled would execute shell commands embedded in the name of the joiner node. This is fixed in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. As a workaround, anyone who cannot upgrade now should disable `wsrep_notify_cmd`.", "A flaw was found in MariaDB server. When the `wsrep_notify_cmd` feature is enabled, a remote attacker could exploit this vulnerability by embedding shell commands in the name of a joiner node. This could lead to arbitrary code execution on the server, allowing the attacker to take full control of the affected system." ],
  "statement" : "Red Hat has assessed this vulnerability as Important. Exploitation requires the `wsrep_notify_cmd` server variable to be explicitly set to a notification script by the administrator. This variable is empty by default in the upstream configuration, and Red Hat's shipped Galera configuration additionally defaults to `wsrep_on=0`. Additionally, the attacker must stand up a MariaDB/Galera node that is accepted into the cluster membership view in order to inject a malicious node name.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "mariadb10.11",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "mariadb11.8",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "mariadb",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "mariadb",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "mariadb",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "mariadb:10.11/mariadb",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "mariadb:11.8/mariadb",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "mariadb10.11",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "mariadb11.8",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-49261\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-49261\nhttps://github.com/MariaDB/server/security/advisories/GHSA-3p3m-4x7c-p4pw\nhttps://jira.mariadb.org/browse/MDEV-39721" ],
  "name" : "CVE-2026-49261",
  "mitigation" : {
    "value" : "If `wsrep_notify_cmd` is configured, unset it or remove the notification script. This variable is empty by default and is only present in Galera cluster deployments that have explicitly configured a notification command. Additionally, restrict network access to Galera replication ports (4567, 4568, 4444) to trusted cluster nodes only.",
    "lang" : "en:us"
  },
  "csaw" : false
}