MariaDB has patched CVE-2026-49261, a critical OS command injection vulnerability that scores CVSS 10.0 and allows an unauthenticated remote attacker to execute arbitrary code on affected database servers. The vulnerability is in the wsrep_notify_cmd functionality, a component of Galera Cluster replication. Standalone MariaDB installations without Galera are not affected. Patches were released on May 27, 2026; the vulnerability was publicly disclosed on June 11, 2026.

Who Is at Risk and Who Is Not

This distinction matters before anything else. wsrep_notify_cmd is a configuration option specific to Galera Cluster, the synchronous multi-primary replication layer used in high-availability MariaDB deployments. It is not present or active in standard single-node MariaDB installations.

A deployment is vulnerable only if all three of the following are true:

  • MariaDB is running as part of a Galera Cluster
  • The wsrep_notify_cmd option is configured in the server settings (it has no value by default)
  • The server is running one of the affected versions (see below)

Shared hosting customers running WordPress, WooCommerce, or other PHP applications on a standard LAMP stack are not at risk from this specific vulnerability. The exposure sits with managed database providers, cloud database services, and hosting infrastructure teams that operate clustered MariaDB environments for availability or redundancy.

HTTP/2 Bomb: One Connection Crashes Web Servers. nginx Is Patched, Apache Is Not.

How the Attack Works

wsrep_notify_cmd specifies a shell script that MariaDB calls when cluster membership changes: a node joins, leaves, or changes state. When a new node (called a “joiner”) connects to the cluster, MariaDB passes information about that node, including its wsrep_node_name, to the notify script as a shell command argument.

The vulnerability (CWE-78) is that MariaDB did not sanitize the joiner’s node name before inserting it into the shell command. An attacker who can reach the Galera replication port can present a crafted node name containing injected shell commands. MariaDB executes the notify script with the attacker-supplied name, and the injected commands run with the privileges of the MariaDB process.

The CVSS 3.1 vector confirms the severity: network-accessible (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), with high impact on confidentiality, integrity, and availability across a changed scope (S:C/C:H/I:H/A:H). The Galera replication port (TCP 4567) is typically firewalled to cluster members, but misconfigured environments or internal attackers face no authentication barrier once they can reach it.

Three CVEs, One Update

CVE-2026-49261 is not the only wsrep vulnerability patched in this release cycle. The same May 27 update includes two additional fixes in the same functional area:

  • CVE-2026-48165: CVSS 8.0, parameter injection in wsrep functionality
  • CVE-2026-48163: CVSS 8.0, parameter injection in wsrep functionality

All three affect Galera-enabled deployments. The Galera component itself was updated to version 26.4.27 in the same release. Teams running Galera clusters should treat this as a batch fix for the entire wsrep notification surface, not a single-CVE patch.

Affected Versions and What to Update To

The following release series are affected when wsrep_notify_cmd is configured:

  • 10.6.1 through 10.6.26: update to 10.6.27
  • 10.11.1 through 10.11.17: update to 10.11.18
  • 11.4.1 through 11.4.11: update to 11.4.12
  • 11.8.1 through 11.8.7: update to 11.8.8
  • 12.3.1: update to 12.3.2

If an immediate update is not feasible, the interim mitigation is to remove or comment out the wsrep_notify_cmd directive in the MariaDB configuration file and restart the service. This disables the notify script entirely. Cluster membership change notifications will stop firing, but the cluster itself continues to operate.

Teams that have already applied the May 27 patches are protected. The June 11 public disclosure did not precede the fix; it followed it by two weeks, consistent with coordinated disclosure practice.