Webinar | MariaDB AI RAG: Replacing Complex Pipeline Tooling with One REST API
Watch Now
Ctrlk
Download MariaDBContact Us
Edit

MariaDB 11.4.12 Release Notes

MariaDB 11.4.12 is a Stable (GA) release of MariaDB Community Server 11.4, released on 2026-05-27

Download Release Notes Changelog Overview of 11.4

Alternate download from mariadb.org

Release date: 27 May 2026

MariaDB 11.4.12 is a Stable (GA) corrective release of MariaDB Community Server 11.4. Released on 2026-05-27, this version includes fixes for high-severity security vulnerabilities reported for MariaDB Cluster (Galera), as defined in our engineering policy (see https://mariadb.com/engineering-policies/).

For an overview of MariaDB 11.4 see the MariaDB 11.4 Changes & Improvements page.

Notable Items

MariaDB Cluster (Galera)

  • A parameter-injection gap existed in wsrep_sst_rsync because it failed to validate the joiner-supplied WSREP_SST_OPT_REMOTE_USER and WSREP_SST_OPT_REMOTE_PSWD values before interpolating them into the donor-written stunnel.conf and the rsync magic file MDEV-39648

  • An appropriately privileged user (with SUPER privileges) could execute shell commands as the uid of the mariadbd process because the values of the system variables wsrep_sst_donor and wsrep_sst_receive_address, which can be modified at runtime, were not properly sanitized when used to construct a shell command MDEV-39676

  • The wsrep_notify_cmd functionality was susceptible to a parameter-injection vulnerability, as it failed to validate the peer-supplied wsrep_node_name and wsrep_node_incoming_address values before interpolating them into the notification command line MDEV-39721

  • In a multi-table UPDATE, the table list could incorrectly include tables that were not opened because they were not truly modified. This occurred when an UPDATE modified a table referenced by a foreign key constraint from a table that was not part of the multi-table update MDEV-3968

  • Galera updated to 26.4.27

Server

  • The server failed to parse schema-qualified table names when the unquoted table name began with a digit MDEV-39654

Security

Fixes for the following security vulnerabilities

CVE ID (with cve.org link)
CVSS base score (v3.1)

CVE-2026-49261

10.0

CVE-2026-48165

8.0

CVE-2026-48163

8.0

Changelog

For a complete list of changes made in MariaDB 11.4.12, with links to detailed information on each push, see the changelog.

Be notified of new MariaDB Server releases automatically by subscribing to the MariaDB Foundation community announce 'at' lists.mariadb.org announcement list (this is a low traffic, announce-only list). MariaDB plc customers will be notified for all new releases, security issues and critical bug fixes for all MariaDB plc products thanks to the Notification Services.

MariaDB may already be included in your favorite OS distribution. More information can be found on the Distributions which Include MariaDB page.

This page is licensed: CC BY-SA / Gnu FDL

spinner
PreviousMariaDB 11.4 Changes & ImprovementsNextMariaDB 11.4.11 Release Notes

Last updated

Was this helpful?