Security Advisory - Published 2026-06-12 - Database / Middleware

Database and middleware CVEs: MariaDB, MongoDB, Netty, and Koha

This batch hits infrastructure services that are often treated as internal. Check the actual runtime settings, not just the package version: MariaDB branch level, MongoDB server-side JavaScript, Koha staff report permissions, Java services using Netty Redis/DNS/HAProxy/TLS, and HTTP/2 or HTTP/3 gateways built on Netty.

Defensive scope: this page covers configuration review, version checks, log review, and safe mitigations. It does not include crafted database or protocol inputs.

What is affected

CVEProductRisk conditionImmediate check
CVE-2026-49261MariaDB GaleraVulnerable version with wsrep_notify_cmd enabled.Patch fixed MariaDB line or disable wsrep_notify_cmd.
CVE-2026-11933MongoDB ServerAuthenticated user can run server-side JavaScript.Review $where, $function, and scripting settings.
CVE-2026-44250Netty Redis codecService parses Redis protocol traffic with old netty-codec-redis.Update to 4.1.135.Final or 4.2.15.Final.
CVE-2026-44890Netty Redis codecDirect-memory pressure through Redis codec handling.Patch and review memory alerts.
CVE-2026-44892Netty HTTP/3 codecHTTP/3 header handling without a bounded maximum size.Update netty-codec-http3 to 4.2.15.Final or newer.
CVE-2026-44168 / 44170 / 44172 / 48163 / 48165MariaDB ServerNew MariaDB branch advisories affecting 10.6, 10.11, 11.4, and 11.8 lines.Move to the fixed MariaDB release for the deployed branch.
CVE-2026-44249 / 45673 / 45674 / 47691 / 50010Netty DNS, subnet, and TLS handlingDNS cache poisoning, subnet-filter bypass, or TLS trust-manager edge cases.Update Netty to 4.1.135.Final or 4.2.15.Final.
CVE-2026-44893 / 44894 / 45416 / 46340 / 48006 / 48043 / 48059 / 48748 / 50011 / 50560Netty protocol codecsMemory leak, memory exhaustion, or amplification risk in HAProxy, QUIC/HTTP3, SCTP, Redis, and HTTP/2 paths.Patch dependency locks and redeploy every Java service using the affected module.
CVE-2026-6428KohaStaff account with Reports permission can reach a vulnerable catalogue report path on affected branches.Upgrade to the fixed Koha branch and review report access, exports, and database errors.

Checks to run

mariadb --version
mysql -e "SHOW VARIABLES LIKE 'wsrep_notify_cmd';"
mongosh --eval "db.adminCommand({ getParameter: 1, javascriptEnabled: 1 })"
koha-list --enabled
dpkg -l | grep -i koha
grep -R "netty-codec\\|netty-handler\\|netty-resolver-dns\\|netty-transport-sctp" . -n --include="pom.xml" --include="*.gradle" --include="*.lock"

If MariaDB is production-critical, snapshot config and logs before changing branch versions. For Koha, check the branch actually serving staff users and confirm who has Reports access. For Netty, check the lock file in the running service; the parent POM can be newer than one deployed service. Transitive dependencies can leave one service on an older codec while another service is already fixed.

Logs and indicators

  • MariaDB node-join events, Galera state changes, and shell-hook failures around wsrep notifications.
  • MongoDB crashes, memory-related errors, and unexpected use of server-side JavaScript operators.
  • Koha staff report access, unusual catalogue report exports, database errors, or account changes involving the Reports permission.
  • Java service OutOfMemory errors, direct-memory pressure, HTTP/2 or HTTP/3 gateway restarts, DNS resolver anomalies, or Redis protocol gateway restarts.
  • Recent credential or service-account changes after database instability.

Ping7 repair path

Ping7 can help review database version state, risky settings, logs, and post-patch service health. Use CVE Repair for owned systems or client-approved environments that store production data.

References