CVE-2026-44169
MEDIUMMariaDB: Authorization bypass in role-based routine-level privilege check exposes stored routine definitions
Title source: cnaDescription
MariaDB server is a community developed fork of MySQL server. From versions 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, a user getting EXECUTE access to a stored routine via a role, could see the routine definition even without SHOW CREATE ROUTINE privilege. This issue has been patched in versions 11.4.11, 11.8.7, and 12.3.2.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/MariaDB/server/security/advisories/GHSA-22xq-vq3f-87x2
X_Refsource_Misc x_refsource_misc
https://jira.mariadb.org/browse/MDEV-39288
Scores
CVSS v3
4.3
EPSS
0.0028
EPSS Percentile
19.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (3)
MariaDB/server
>= 11.4.1, < 11.4.11
MariaDB/server
>= 11.8.1, < 11.8.7
MariaDB/server
>= 12.3.1, < 12.3.2
Published
Jun 12, 2026
Tracked Since
Jun 12, 2026