External risk intelligence

MariaDB Command Execution Vulnerability When wsrep_notify_cmd is Enabled.

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-49261

MariaDB server versions may allow shell command execution if the `wsrep_notify_cmd` configuration is enabled. This occurs when commands are embedded in the name of a joining node, potentially leading to unauthorized command execution. Confirming the use of this software and configuration is important for assessing pote

2Halo Surface Signal

OS Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-49261

MariaDB is a database server typically deployed in internal, segmented network environments. While network-reachable, it is not designed to be directly exposed to the public internet. The specific configuration, wsrep_notify_cmd, is an administrative cluster notification setting that would rarely, if ever, be reachable or relevant to external, unauthenticated internet users.

PCI scan relevance

PCI Relevance for CVE-2026-49261

Yes

CVE-2026-49261 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows remote code execution, which is a common cause for failing PCI ASV scans. Exploiting this could lead to a compromise of sensitive data.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A security issue in MariaDB server allows attackers to execute unauthorized shell commands by embedding them in the name of a joining node, a vulnerability that could lead to significant system compromise if exploited. This flaw affects specific versions of the database software, particularly when a particular configuration setting is enabled, and has been addressed in newer releases. The primary concern for leadership is to confirm if this specific software and configuration are in use within the organization to assess potential exposure.

  • Commands run if specific software is configured.
  • Potential for unauthorized code execution.
  • Confirm relevance and exposure of this software.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by leveraging a misconfiguration where a specially crafted command is embedded within the name of a joining node in a MariaDB cluster. If the `wsrep_notify_cmd` setting is enabled, the server would execute these commands, potentially allowing the attacker to achieve high privileges on the affected system. This scenario requires network access to the vulnerable MariaDB server and the specific configuration to be active.

  • Network access required.
  • Malicious node name triggers execution.
  • Leads to remote code execution.

Live Threat

Current exploitation, exposure, and threat context

When the `wsrep_notify_cmd` option is enabled in MariaDB, a malicious actor could potentially execute arbitrary shell commands on the server by embedding them in the name of a joining node. This could affect the integrity and availability of the database service and its underlying system.

  • Database server commands.
  • Commands sent via joining node.
  • System compromise or data loss.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and infrastructure teams are likely responsible for addressing this vulnerability in MariaDB server instances. The immediate practical step is to identify all deployments of the affected MariaDB versions, determine their network reachability and business criticality, and then locate the accountable owner to plan remediation, which may involve upgrades or configuration changes.

  • Application and infrastructure teams own this.
  • Verify affected instances and business impact.
  • Plan upgrade or configuration adjustment.

Frequently asked questions

What is MariaDB and how is it used?

MariaDB is a popular, open-source database server used to store and manage structured data for applications. It is a community-developed fork of MySQL that serves as a foundational component for many web platforms, content management systems, and enterprise software suites. It functions by processing queries from clients and, in clustered environments, synchronizing data across multiple server nodes to ensure high availability and data consistency.

What does CVE-2026-49261 mean for system security?

This vulnerability is classified as CWE-78, or OS Command Injection. In plain terms, it means the database server can be tricked into running unauthorized operating system commands. Because the software fails to properly sanitize input provided during a specific cluster communication process, an attacker can input malicious commands that the server interprets as instructions to execute on the host machine, leading to a complete compromise of the system.

How can an attacker trigger this MariaDB vulnerability?

An attacker must be able to influence the 'joiner node' name within a MariaDB cluster setup where the 'wsrep_notify_cmd' setting is actively enabled. If this specific configuration is disabled, the vulnerability cannot be triggered in this manner, as the server will not attempt to execute the notification command. The attack relies on injecting commands into the node naming field, which the server then incorrectly processes and executes at the system level.

Is my MariaDB instance relevant to this threat?

According to Halo Surface Signal, MariaDB is typically deployed in internal, segmented networks and is not meant for direct public internet access. Since this flaw requires interacting with cluster node configurations, it is unlikely to be reachable by random external internet users. You should focus your attention on instances where 'wsrep_notify_cmd' is turned on and where network access is granted to untrusted or less-secure segments of your environment.

What is the recommended first step for responders?

The most effective first step is to inventory your MariaDB deployments to check if they are running the affected versions and confirm whether 'wsrep_notify_cmd' is enabled. If you cannot perform an immediate software upgrade to the patched versions provided by MariaDB, you should disable the 'wsrep_notify_cmd' setting as a temporary workaround to eliminate the primary execution path for this vulnerability.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished