CVE-2026-49261

Publication date 11 June 2026

Last updated 11 July 2026


Ubuntu priority

Cvss 3 Severity Score

10.0 · Critical

Score breakdown

Description

MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commands embedded in the name of the joiner node. This is fixed in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. As a workaround, anyone who cannot upgrade now should disable `wsrep_notify_cmd`.

Status

Package Ubuntu Release Status
mariadb 26.04 LTS resolute
Needs evaluation
25.10 questing Ignored end of life, was needs-triage
24.04 LTS noble
Needs evaluation
22.04 LTS jammy Not in release
mariadb-10.0 26.04 LTS resolute Not in release
25.10 questing Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
mariadb-10.1 26.04 LTS resolute Not in release
25.10 questing Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
18.04 LTS bionic
Needs evaluation
mariadb-10.3 26.04 LTS resolute Not in release
25.10 questing Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
20.04 LTS focal
Needs evaluation
mariadb-10.6 26.04 LTS resolute Not in release
25.10 questing Not in release
24.04 LTS noble Not in release
22.04 LTS jammy
Needs evaluation

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
mariadb

Severity score breakdown

CVSS version: CVSS v3.0

Base score 10.0 · Critical

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H


Access our resources on patching vulnerabilities