Details
-
Bug
-
Status: Stalled (View Workflow)
-
Major
-
Resolution: Unresolved
-
11.4.12
-
Q3/2026 Server Maintenance
Description
During an upgrade from MariaDB 10.11.15 to 11.4.10, one of the customer observed that existing user grants on objects within the sys schema were silently removed after running mariadb-upgrade.
Impact:
Users that previously had EXECUTE privileges on sys stored procedures and functions lost those privileges after the upgrade. This resulted in authorization failures for applications and operational tooling that depended on those routines.
Reproduction
Before upgrade:
SHOW GRANTS FOR 'myuser'@'%';
Output:
GRANT USAGE ON . TO myuser@%;
GRANT SELECT ON mysql.user TO myuser@%;
GRANT EXECUTE ON PROCEDURE sys.table_exists TO myuser@%;
GRANT EXECUTE ON FUNCTION sys.quote_identifier TO myuser@%;
Upgrade path:
Upgrade MariaDB from 10.11.15 to 11.4.10.
Run mariadb-upgrade as recommended by the documentation.
After upgrade:
SHOW GRANTS FOR 'myuser'@'%';
Output:
GRANT USAGE ON . TO myuser@%;
GRANT SELECT ON mysql.user TO myuser@%;
The EXECUTE privileges on sys.table_exists and sys.quote_identifier are no longer present.
Root Cause Analysis
Our investigation indicates that mariadb-upgrade reinstalls the sys schema using a destructive drop-and-recreate approach. Because stored routines are recreated rather than updated in place, object-level grants associated with the previous routine definitions are lost.
This behavior affects entries stored in privilege tables such as mysql.procs_priv and results in silent removal of previously granted permissions.
I am attaching my local test results as well to reference.