A high-severity command injection vulnerability in MariaDB's SST process allows unauthorized shell command execution, requiring an immediate update to patched versions.

This vulnerability resides in the State Snapshot Transfer (SST) process, where donor nodes perform unsafe interpolation of joiner-sent parameters. An attacker acting as a joiner can inject shell commands via the mariabackup method to execute code on the donor side.

Successful exploitation results in remote code execution on the database server, granting an attacker full control over the database environment. With a CVSS score of 8.0, this vulnerability presents a critical threat to data confidentiality, integrity, and availability.

Immediate Action: Upgrade to MariaDB versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, 12.3.2, or 10.6.27.

Proactive Monitoring: Monitor database server logs for unexpected process execution or unauthorized shell activity originating from the SST process.

Compensating Controls: Restrict network access to the database cluster and ensure only trusted nodes can initiate SST operations.

Public Exploit Available: false

This vulnerability allows for full command execution on database servers, which is a critical security failure. Administrators must apply the provided patches immediately to secure their database infrastructure.