CVE-2026-44173

5.0 MEDIUM

MariaDB server is a community developed fork of MySQL server

Published: 2026-06-12 · Last updated: 2026-06-16

Severity and scoring

CVSS: 5.0 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
CWE: CWE-863

Affected products

Vendor	Product
mariadb	mariadb

Description

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB allowed SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE without verifying the FILE privilege if the FROM clause contained only subqueries. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44173
[Vendor advisory]https://github.com/MariaDB/server/security/advisories/GHSA-667j-m53j-wpmc
[Other]https://jira.mariadb.org/browse/MDEV-39493

Related CVEs

Same vendor

CVE-2026-48165 — MariaDB server is a community developed fork of MySQL server (8.0 HIGH)
CVE-2026-48163 — MariaDB server is a community developed fork of MySQL server (8.0 HIGH)
CVE-2026-44172 — MariaDB server is a community developed fork of MySQL server (9.8 CRITICAL)
CVE-2026-44171 — MariaDB server is a community developed fork of MySQL server (6.3 MEDIUM)
CVE-2026-44170 — MariaDB server is a community developed fork of MySQL server (9.8 CRITICAL)

Same CWE

CVE-2026-53860 — OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries... (4.2 MEDIUM)
CVE-2026-53855 — OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks ... (8.1 HIGH)
CVE-2026-53854 — OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that allows sender... (6.5 MEDIUM)
CVE-2026-53853 — OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowe... (8.3 HIGH)
CVE-2026-5149 — The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the g... (6.5 MEDIUM)