MariaDB shipped emergency fixes for its Galera Cluster in 2026, covering three high-severity flaws: CVE-2026-49261 (CVSS 10.0, maximum), plus CVE-2026-48165 and CVE-2026-48163 (both CVSS 8.0). The shock line: any MariaDB multi-primary sync cluster (Galera) can be made to run arbitrary system commands on the database host via unsafe parameter handling in wsrep SST (State Snapshot Transfer) and wsrep_notify_cmd — not "data breach" tier, but "the whole DB host is taken over" tier. Primary sources: MariaDB.org Corrective Releases and the MariaDB CVE docs.
To understand the mechanism, know what Galera is. Galera syncs multiple MariaDB servers into a multi-primary cluster; when a new node joins, SST transfers the full dataset from an existing node (donor) to the new one (joiner). That transfer runs via an external script (wsrep_sst_method, e.g. mariabackup / rsync), and wsrep_notify_cmd invokes a script on cluster state changes. That's where it breaks: both donor and joiner sides handle SST parameters, and wsrep_notify_cmd parameters, unsafely — they can be injected with arbitrary commands. The chain: poison wsrep parameters → SST/notify script runs with database-service privileges → command injection → host compromise. CVSS 10.0 means low attack complexity and full impact across confidentiality, integrity, and availability.
Affected scope: MariaDB Community Server running Galera Cluster. Fixed versions: 10.6.27, 10.11.18, 11.4.12, 11.8.8 (enterprise 11.8.x followed), released from around 2026-05-27, with distributions like SUSE pushing security updates into early June. Any SMB production environment that adopted Galera "for high availability" is on the risk list. Why act within 24 hours? Because CVSS 10.0 + command injection + database privileges means a breach gives the attacker full host control, not just data.
Technical Details (Vulnerability Type + Attack Path)
The core is OS command injection in Galera's wsrep mechanism:
- CVE-2026-49261 (CVSS 10.0): unsafe parameter handling in wsrep SST on both donor and joiner sides.
- CVE-2026-48165 / CVE-2026-48163 (CVSS 8.0): unsafe usage of
wsrep_notify_cmdand related parameters.
Preconditions depend on deployment: any position influencing wsrep config, the SST flow, or cluster member communication. Once injected, the script runs as the database-service account. Check whether you run Galera:
-- 1) Confirm a Galera cluster is active
SHOW STATUS LIKE 'wsrep_cluster_size';
SHOW VARIABLES LIKE 'wsrep_provider';
-- 2) Check whether your version is below the fixed release
SELECT VERSION(); -- below 10.6.27 / 10.11.18 / 11.4.12 / 11.8.8 means upgradeImmediate Actions
- Sysadmins: Upgrade MariaDB to 10.6.27 / 10.11.18 / 11.4.12 / 11.8.8 or newer immediately. If you can't, restrict Galera ports (4567/4568/4444) to a private segment and audit whether wsrep config sources can be modified by unauthorized parties.
- Developers (incl. Laravel/Nginx): Even on single-node MySQL, confirm no one "conveniently" enabled Galera; check whether deploy scripts expose DB admin ports publicly. Segment the network between DB and app hosts.
- Agencies / consultants: For every client you delivered a HA MariaDB / Galera architecture to, send an advisory reporting affected versions, fixed versions, mitigations, and your upgrade help. A low-cost, high-trust client-care move.
Patch vs Mitigation
- Immediate patch (preferred): Upgrade to 10.6.27 / 10.11.18 / 11.4.12 / 11.8.8 or newer; restart nodes via rolling upgrade.
- Mitigations: Firewall Galera ports 4567/4568/4444 to the internal private network only; lock config files (root-write only); confirm
wsrep_notify_cmd/wsrep_sst_methoddon't point to tamperable scripts; monitor unexpected child processes.
IOCs & Threat Intel
- Process tree:
mysqld/mariadbdspawning unexpected children (curl,wget,nc, reverse shells) beyondrsync/mariabackup. - Config tampering:
wsrep_notify_cmd/wsrep_sst_methodpointing to/tmpor values with shell metacharacters (;,|,$(), backticks). - Network: connections to ports 4444/4567/4568 from non-cluster-member IPs; unexpected outbound from the DB host.
- Audit: compare
my.cnfagainst the deploy repo to find changes not in the change log.
What They Won't Tell You
- A lot of Galera is "installed by default" by HA bundles or cloud providers — users don't know they run it. These shadow clusters are the most dangerous because no one manages their versions.
- Rolling upgrades aren't one-click. Version mismatch can make wsrep reject a node; the upgrade carries downtime and data-consistency risk and needs rehearsal. The next attacker move is scanning the internet for Galera nodes exposing port 4567.
The Bigger Trend
The database is no longer just "where data lives" — it's an execution surface, breached through ops mechanisms like backup, replication, and cluster sync. That's a clear 2025–2026 attack-industrialization pattern (Magento, Mirasvit cache, Galera SST share the same logic). Input validation in ops scripts is becoming a SecOps must-check.
My Take
The mainstream advice: "add it to the patch list, schedule the next maintenance window." My judgment differs: for a CVSS 10.0 command injection, the concept of "next maintenance window" should itself be retired. But the unpopular part: for SMBs the real risk isn't "didn't upgrade," it's "didn't know they were running Galera." ScriptWalker's client-care opportunity: use this as a database architecture health-check service entry point — inventory whether a client's DB is clustered, how old it is, whether admin ports are exposed, and deliver a two-page report. That's how you turn a one-off client into a long-term maintenance client off a single security event.