Bug 2494785 - CVE-2026-44170 mariadb11.8: Arbitrary shell command execution via improper sanitization in CONNECT engine [fedora-all]
Summary: CVE-2026-44170 mariadb11.8: Arbitrary shell command execution via improper sa...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: mariadb11.8
Version: rawhide
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Michal Schorm
QA Contact:
URL:
Whiteboard: {"flaws": ["dee46a19-cb79-454c-9681-d...
Depends On:
Blocks: CVE-2026-44170
TreeView+ depends on / blocked
 
Reported: 2026-06-30 08:08 UTC by Praise Ogwuche
Modified: 2026-06-30 10:58 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2026-06-30 10:58:37 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Praise Ogwuche 2026-06-30 08:08:12 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP attribute into the curl command line without proper sanitizing. This allows the user to execute shell commands on the server. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.

Comment 1 Michal Schorm 2026-06-30 10:58:37 UTC
Fixed in the version currently available in Fedora Rawhide


Note You need to log in before you can comment on or make changes to this bug.