If you have recently tried to migrate a cPanel server and watched every single database import fail with ERROR at line 1: Unknown command '\-', you are not alone. This error has been quietly biting sysadmins for the better part of a year, and cPanel still has not published a word about it.
Here is what is happening, why it is happening, and how to fix it.
The Error
You dump a database on Server A, transfer it to Server B, and try to import it. Instead of a clean restore, you get this:
ERROR at line 1: Unknown command '\-'.
That is it. No mention of version incompatibility. No hint about what \- means. No suggestion for a fix. Just a cryptic one-liner that sends you searching through forums.
If you open the dump file, the very first line looks like this:
/*!999999\- enable the sandbox mode */
That line is the entire problem.
What Changed and Why
Starting with MariaDB 10.5.25, 10.6.18, 10.11.8, 11.0.6, 11.1.5, 11.2.4, and 11.4.2, the mariadb-dump utility (aliased as mysqldump on most systems) now prepends a sandbox mode directive to the top of every SQL dump it creates. This was introduced as a mitigation for CVE-2024-21096, a vulnerability that could allow a maliciously crafted dump file to execute arbitrary shell commands when imported through the MariaDB command-line client.
The sandbox mode directive tells the importing client to disable system commands for the remainder of the session. It is a legitimate security improvement. The problem is that this directive uses a syntax that older MariaDB clients and all MySQL clients simply do not understand. When an older client encounters the \- command, it does not skip it gracefully. It throws an error and halts the entire import.
MariaDB has acknowledged the compatibility breakage but has stated clearly that they will not revert the change. Their position is that security fixes sometimes necessitate breaking backward compatibility, and this is one of those cases.
Why This Hits cPanel Servers Especially Hard
Server migrations between different MariaDB point releases are one of the most common operations in managed hosting. Consider how many everyday scenarios trigger this exact failure:
You upgrade a source server’s MariaDB to the latest patch release (good security hygiene), then migrate accounts to a destination server that has not been updated yet. Or you migrate from an older CentOS 7 box running a patched 10.5.x to a fresh AlmaLinux 8 server with a stock 10.3.x from the OS repositories. Or you simply pull a backup from one cPanel server and try to restore it on another.
In every single one of these cases, if the source server’s mariadb-dump includes the sandbox line and the destination server’s client predates the sandbox support, every database import will fail. Not some of them. All of them.
What makes this especially frustrating for cPanel administrators is the total lack of documentation from cPanel. Plesk published a detailed knowledge base article within weeks of the change, documenting the error, its cause, and multiple workarounds. DirectAdmin users reported the issue and shared fixes in their community forums. cPanel? Nothing. No KB article, no changelog mention, no EasyApache advisory. If you manage cPanel servers and you were not already plugged into the MariaDB developer community, you were left completely in the dark.
The Fix
The good news is that the fix is straightforward. The sandbox directive is always on line 1 of the dump file, and removing it restores full compatibility with older clients. Here are several approaches depending on your situation.
Fix a Dump File Before Import
If you already have a dump file that will not import, strip the first line:
sed --in-place '1d' dump.sql
Or if you want to be more targeted and only remove the line if it actually contains the sandbox directive:
sed --in-place '1{/999999.*sandbox/d}' dump.sql
Fix at Dump Time
If you are generating dumps and know they will be imported on older servers, pipe the output through tail to strip the first line automatically:
mariadb-dump --all-databases | tail -n +2 > dump.sql
Fix at Import Time
You can also strip the line during import without modifying the dump file on disk:
tail -n +2 dump.sql | mysql -u root -p database_name
Fix in Bulk for Migration Jobs
If you are running a bulk migration and have a directory full of dump files, you can process them all at once:
for f in /path/to/dumps/*.sql; do
sed --in-place '1{/999999.*sandbox/d}' "$f"
done
The Proper Long-Term Fix
The real solution is to ensure both your source and destination servers are running MariaDB versions that include sandbox mode support. If both sides understand the directive, the dump imports cleanly with no modification. Update MariaDB on your destination servers to at least 10.5.25, 10.6.18, 10.11.8, or 11.0.6 (depending on your version branch) and the problem disappears entirely.
On cPanel servers, you can update MariaDB through WHM under Software > MySQL/MariaDB Upgrade, or via the command line:
/scripts/mysqlup --force
Just make sure you are upgrading to a version that includes the sandbox mode support on both ends.
Wrapping Up
This is a textbook example of a well-intentioned security fix with poorly communicated fallout. MariaDB had valid reasons for introducing sandbox mode. CVE-2024-21096 was a real vulnerability, and disabling system commands during dump imports is the right call. But the combination of a breaking change in a point release, a cryptic error message, and zero documentation from cPanel created a perfect storm that has wasted countless hours for hosting administrators.
If you are planning any server migrations, add “check MariaDB versions on both sides” to your pre-migration checklist. And if you get hit by this error on a migration that is already in progress, the sed one-liner will get you moving again in seconds.
As always, keep your servers patched, but maybe keep a copy of that sed command handy too.