{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-44173", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-05T14:39:34.923Z", "datePublished": "2026-06-12T17:34:30.301Z", "dateUpdated": "2026-06-12T18:03:34.244Z"}, "containers": {"cna": {"title": "MariaDB: FILE privilege was not checked for subqueries in the FROM clause", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/MariaDB/server/security/advisories/GHSA-667j-m53j-wpmc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MariaDB/server/security/advisories/GHSA-667j-m53j-wpmc"}, {"name": "https://jira.mariadb.org/browse/MDEV-39493", "tags": ["x_refsource_MISC"], "url": "https://jira.mariadb.org/browse/MDEV-39493"}], "affected": [{"vendor": "MariaDB", "product": "server", "versions": [{"version": ">= 10.6.1, < 10.6.26", "status": "affected"}, {"version": ">= 10.11.1, < 10.11.17", "status": "affected"}, {"version": ">= 11.4.1, < 11.4.11", "status": "affected"}, {"version": ">= 11.8.1, < 11.8.7", "status": "affected"}, {"version": ">= 12.3.1, < 12.3.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-12T17:34:30.301Z"}, "descriptions": [{"lang": "en", "value": "MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB allowed SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE without verifying the FILE privilege if the FROM clause contained only subqueries. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2."}], "source": {"advisory": "GHSA-667j-m53j-wpmc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-12T18:03:24.496133Z", "id": "CVE-2026-44173", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-12T18:03:34.244Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-44173", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-12T18:03:24.496133Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-12T18:03:30.744Z"}}], "cna": {"title": "MariaDB: FILE privilege was not checked for subqueries in the FROM clause", "source": {"advisory": "GHSA-667j-m53j-wpmc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "MariaDB", "product": "server", "versions": [{"status": "affected", "version": ">= 10.6.1, < 10.6.26"}, {"status": "affected", "version": ">= 10.11.1, < 10.11.17"}, {"status": "affected", "version": ">= 11.4.1, < 11.4.11"}, {"status": "affected", "version": ">= 11.8.1, < 11.8.7"}, {"status": "affected", "version": ">= 12.3.1, < 12.3.2"}]}], "references": [{"url": "https://github.com/MariaDB/server/security/advisories/GHSA-667j-m53j-wpmc", "name": "https://github.com/MariaDB/server/security/advisories/GHSA-667j-m53j-wpmc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://jira.mariadb.org/browse/MDEV-39493", "name": "https://jira.mariadb.org/browse/MDEV-39493", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB allowed SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE without verifying the FILE privilege if the FROM clause contained only subqueries. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-12T17:34:30.301Z"}}}, "cveMetadata": {"cveId": "CVE-2026-44173", "state": "PUBLISHED", "dateUpdated": "2026-06-12T18:03:34.244Z", "dateReserved": "2026-05-05T14:39:34.923Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-12T17:34:30.301Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*", "matchCriteriaId": "18373B5D-2024-48F6-812A-B3E28D6E7F2D", "versionEndExcluding": "10.6.26", "versionStartIncluding": "10.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*", "matchCriteriaId": "94C3F42B-E2B4-4969-8925-78EE56F56FC9", "versionEndExcluding": "10.11.17", "versionStartIncluding": "10.11.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*", "matchCriteriaId": "DE5BBBEB-2714-4C1F-8662-23C932A72725", "versionEndExcluding": "11.4.11", "versionStartIncluding": "11.4.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*", "matchCriteriaId": "7C894B8F-EBFD-4835-8245-CDC7230CBC0D", "versionEndExcluding": "11.8.7", "versionStartIncluding": "11.8.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mariadb:mariadb:12.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "57DFA226-8D97-4A19-8A62-426042F5416D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB allowed SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE without verifying the FILE privilege if the FROM clause contained only subqueries. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2."}], "id": "CVE-2026-44173", "lastModified": "2026-06-16T19:04:35.470", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Primary"}]}, "published": "2026-06-12T18:16:34.257", "references": [{"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/MariaDB/server/security/advisories/GHSA-667j-m53j-wpmc"}, {"source": "[email protected]", "tags": ["Third Party Advisory", "Issue Tracking"], "url": "https://jira.mariadb.org/browse/MDEV-39493"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "mariadb: MariaDB: Privilege bypass allows unauthorized file write via subqueries", "id": "2488460", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488460"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "draft"}, "cwe": "CWE-266", "details": ["MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB allowed SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE without verifying the FILE privilege if the FROM clause contained only subqueries. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.", "A flaw was found in MariaDB server. This vulnerability allows a low-privileged authenticated user to bypass a security control that normally restricts file operations. Specifically, the system failed to verify the necessary 'FILE' privilege when certain 'SELECT' statements, which write data to files, were executed with subqueries in their 'FROM' clause. This could enable an attacker to write unauthorized files to the server's file system, potentially leading to the disclosure of sensitive information or a denial of service by corrupting or filling disk space."], "name": "CVE-2026-44173", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Under investigation", "package_name": "mariadb10.11", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Under investigation", "package_name": "mariadb11.8", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Under investigation", "package_name": "mariadb", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Under investigation", "package_name": "mariadb", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Under investigation", "package_name": "mariadb", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Under investigation", "package_name": "mariadb:10.11/mariadb", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Under investigation", "package_name": "mariadb:11.8/mariadb", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Under investigation", "package_name": "mariadb10.11", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Under investigation", "package_name": "mariadb11.8", "product_name": "Red Hat Hardened Images"}], "public_date": "2026-06-12T17:34:30Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-44173\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-44173\nhttps://github.com/MariaDB/server/security/advisories/GHSA-667j-m53j-wpmc\nhttps://jira.mariadb.org/browse/MDEV-39493"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.6.1,10.6.26)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.11.1,10.11.17)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.4.1,11.4.11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.8.1,11.8.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[12.3.1,12.3.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "server", "source": "cna", "vendor": "MariaDB"}, "product": "server", "vendor": "mariadb"}], "created": "2026-06-12T19:30:31.458317+00:00", "updated": "2026-06-23T14:15:04.913106+00:00", "vendors": ["mariadb", "mariadb$PRODUCT$server"]}