CVE-2026-49261 — MariaDB Galera cluster: pre-auth lateral RCE via `wsrep_notify_cmd`

NCSC-CH's Security Hub flagged a CVSS 10.0 OS command injection (post 12627, 11 June) that did not surface in the daily briefs. When MariaDB Community or Enterprise Server runs in a Galera cluster with wsrep_notify_cmd configured, the notification command is built by interpolating peer-supplied wsrep_node_name and wsrep_node_incoming_address fields directly into a string passed to sh -c — without escaping (NCSC-CH Security Hub; MariaDB CVE list). A malicious or compromised cluster peer that announces a node name containing shell metacharacters achieves arbitrary command execution on every cluster member with a notify command configured, at the privilege of the database process — lateral RCE across the whole cluster, DB authentication bypassed. Fixed in Community 10.6.27 / 10.11.18 / 11.4.12 / 11.8.8 / 12.3.2 and the corresponding Enterprise builds. This matters for European public-sector estates because MariaDB underpins a great deal of self-hosted open-source tooling (Nextcloud, Moodle, GLPI). Patch immediately; if Galera notifications are required, restrict cluster-join initiation to trusted internal nodes at the network layer (Galera ports 4567/4568) and disable wsrep_notify_cmd where it is not strictly needed.