Security Advisory - Published 2026-06-12 - Database / Middleware
Database and middleware CVEs: MariaDB, MongoDB, Netty, and Koha
This batch hits infrastructure services that are often treated as internal. Check the actual runtime settings, not just the package version: MariaDB branch level, MongoDB server-side JavaScript, Koha staff report permissions, Java services using Netty Redis/DNS/HAProxy/TLS, and HTTP/2 or HTTP/3 gateways built on Netty.
What is affected
| CVE | Product | Risk condition | Immediate check |
|---|---|---|---|
| CVE-2026-49261 | MariaDB Galera | Vulnerable version with wsrep_notify_cmd enabled. | Patch fixed MariaDB line or disable wsrep_notify_cmd. |
| CVE-2026-11933 | MongoDB Server | Authenticated user can run server-side JavaScript. | Review $where, $function, and scripting settings. |
| CVE-2026-44250 | Netty Redis codec | Service parses Redis protocol traffic with old netty-codec-redis. | Update to 4.1.135.Final or 4.2.15.Final. |
| CVE-2026-44890 | Netty Redis codec | Direct-memory pressure through Redis codec handling. | Patch and review memory alerts. |
| CVE-2026-44892 | Netty HTTP/3 codec | HTTP/3 header handling without a bounded maximum size. | Update netty-codec-http3 to 4.2.15.Final or newer. |
| CVE-2026-44168 / 44170 / 44172 / 48163 / 48165 | MariaDB Server | New MariaDB branch advisories affecting 10.6, 10.11, 11.4, and 11.8 lines. | Move to the fixed MariaDB release for the deployed branch. |
| CVE-2026-44249 / 45673 / 45674 / 47691 / 50010 | Netty DNS, subnet, and TLS handling | DNS cache poisoning, subnet-filter bypass, or TLS trust-manager edge cases. | Update Netty to 4.1.135.Final or 4.2.15.Final. |
| CVE-2026-44893 / 44894 / 45416 / 46340 / 48006 / 48043 / 48059 / 48748 / 50011 / 50560 | Netty protocol codecs | Memory leak, memory exhaustion, or amplification risk in HAProxy, QUIC/HTTP3, SCTP, Redis, and HTTP/2 paths. | Patch dependency locks and redeploy every Java service using the affected module. |
| CVE-2026-6428 | Koha | Staff account with Reports permission can reach a vulnerable catalogue report path on affected branches. | Upgrade to the fixed Koha branch and review report access, exports, and database errors. |
Checks to run
mariadb --version
mysql -e "SHOW VARIABLES LIKE 'wsrep_notify_cmd';"
mongosh --eval "db.adminCommand({ getParameter: 1, javascriptEnabled: 1 })"
koha-list --enabled
dpkg -l | grep -i koha
grep -R "netty-codec\\|netty-handler\\|netty-resolver-dns\\|netty-transport-sctp" . -n --include="pom.xml" --include="*.gradle" --include="*.lock" If MariaDB is production-critical, snapshot config and logs before changing branch versions. For Koha, check the branch actually serving staff users and confirm who has Reports access. For Netty, check the lock file in the running service; the parent POM can be newer than one deployed service. Transitive dependencies can leave one service on an older codec while another service is already fixed.
Logs and indicators
- MariaDB node-join events, Galera state changes, and shell-hook failures around wsrep notifications.
- MongoDB crashes, memory-related errors, and unexpected use of server-side JavaScript operators.
- Koha staff report access, unusual catalogue report exports, database errors, or account changes involving the Reports permission.
- Java service OutOfMemory errors, direct-memory pressure, HTTP/2 or HTTP/3 gateway restarts, DNS resolver anomalies, or Redis protocol gateway restarts.
- Recent credential or service-account changes after database instability.
Ping7 repair path
Ping7 can help review database version state, risky settings, logs, and post-patch service health. Use CVE Repair for owned systems or client-approved environments that store production data.
References
- MariaDB advisory GHSA-3p3m-4x7c-p4pw
- MariaDB advisory GHSA-vwf7-w26c-9w5h
- MariaDB advisory GHSA-rpgv-q6gv-684r
- MariaDB advisory GHSA-7v3p-h23x-8hwv
- MongoDB SERVER-128125
- Netty Redis advisory GHSA-3244-j874-rhc2
- Netty Redis advisory GHSA-6ghj-frrj-jjj3
- GitHub Advisory: Netty HTTP/3 CVE-2026-44892
- Netty 4.1.135.Final release
- Netty 4.2.15.Final release
- Koha community security releases
- Koha bug 42361
- GitHub Advisory: CVE-2026-6428