CVE-2026-48165 MariaDB: unsafe usage of `wsrep_sst_receive_address` values on the joiner side

🗓️ 12 Jun 2026 17:35:16Reported by GitHub_MType

Unsafe usage of wsrep_sst_receive_address on joiner enables shell commands as mariadbd user.

Reporter	Title	Published	Views	Family All 26
FreeBSD	MariaDB -- Multiple vulnerabilities	28 May 202600:00	–	freebsd
AlpineLinux	CVE-2026-48165	12 Jun 202617:35	–	alpinelinux
CVE	CVE-2026-48165	12 Jun 202617:35	–	cve
Debian CVE	CVE-2026-48165	12 Jun 202617:35	–	debiancve
EUVD	EUVD-2026-36520	12 Jun 202617:35	–	euvd
Tenable Nessus	FreeBSD : MariaDB -- Multiple vulnerabilities (2eb8a9ab-5b5d-11f1-8607-8447094a420f)	30 May 202600:00	–	nessus
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2026-48165	7 Jun 202600:00	–	nessus
MariaDBUnix	CVE-2026-48165	30 May 202601:59	–	mariadbunix
NVD	CVE-2026-48165	12 Jun 202618:16	–	nvd
OPENSUSE Linux	libmariadbd-devel-11.8.8-1.1 on GA media (moderate)	6 Jun 202600:00	–	opensuse

[
  {
    "vendor": "MariaDB",
    "product": "server",
    "versions": [
      {
        "version": ">= 10.6.1, < 10.6.27",
        "status": "affected"
      },
      {
        "version": ">= 10.11.1, < 10.11.18",
        "status": "affected"
      },
      {
        "version": ">= 11.4.1, < 11.4.12",
        "status": "affected"
      },
      {
        "version": ">= 11.8.1, < 11.8.8",
        "status": "affected"
      },
      {
        "version": ">= 12.3.1, < 12.3.2",
        "status": "affected"
      }
    ]
  }
]

Source	Link
jira	www.jira.mariadb.org/browse/MDEV-39676
github	www.github.com/MariaDB/server/security/advisories/GHSA-7v3p-h23x-8hwv

12 Jun 2026 17:35Current

CVSS 3.18

CWE-78