RESEARCHERS have disclosed a set of critical flaws in MariaDB that allow attackers to execute arbitrary shell commands on Galera cluster nodes, as detailed in a recent security advisory published by SecurityOnline. The issues affect multiple recent releases and have prompted the vendor to issue patched versions across several branches.
The most severe flaw, tracked as CVE-2026-49261, carries a CVSS score of 10.0 and stems from insufficient validation during state snapshot transfer in Galera, enabling an unauthenticated attacker to inject and run shell commands on any node participating in the cluster, as described in the upstream security advisory on GitHub.
Two additional high-severity issues, CVE-2026-48163 and CVE-2026-48165, each rated CVSS 8.0, arise from improper handling of user-supplied input in SQL statements that are replicated across Galera nodes, similarly allowing command execution when the malicious query is processed, according to a follow-up note from SecurityOnline.
As of now there is no public evidence that these vulnerabilities have been exploited in the wild, and no threat actor has been linked to the flaws, but the attack surface is considerable for any MariaDB deployment that uses Galera for high availability.
Because Galera is often used to synchronise data between geographically distributed servers, a successful compromise could provide a foothold for lateral movement, data exfiltration or further disruption of critical services that rely on the database tier.
Administrators should upgrade to the patched releases 10.6.27, 10.11.18, 11.4.12, 11.8.8 or 12.3.2 as soon as possible, and review their Galera configuration to ensure that only trusted networks can connect to the database ports.
Additional hardening steps include disabling any unnecessary state snapshot transfer scripts, monitoring query and system logs for unexpected shell activity, and restricting outbound network traffic from database hosts to limit the impact of a potential breach.