CVE-2026-44169

MariaDB: Authorization bypass in role-based routine-level privilege check exposes stored routine definitions

Published: 6/12/2026 Last updated: 6/13/2026 Reserved: 5/5/2026

MariaDB server is a community developed fork of MySQL server. From versions 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, a user getting EXECUTE access to a stored routine via a role, could see the routine definition even without SHOW CREATE ROUTINE privilege. This issue has been patched in versions 11.4.11, 11.8.7, and 12.3.2.

CNA assigner: GitHub_M (a0819718-46f1-4df5-94e2-005712e83aaa) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	4.3	Medium	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Opam packages affected (2)

conf-mariadb conf-mysql

Products affected (1)

Product	Vendor	Version
server	MariaDB	Java SE: 7u231, 8u221, 11.0.4, 13

References (2)

https://github.com/MariaDB/server/security/advisories/GHSA-22xq-vq3f-87x2
https://jira.mariadb.org/browse/MDEV-39288