CVE-2026-3494
Received Received - Intake
Logging Bypass in MariaDB Server Audit Plugin via Commented Queries

Publication date: 2026-03-03

Last updated on: 2026-03-16

Assigner: AMZN

Description
In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (β€”) or hash (#) style comments, the statement is not logged.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-16
Generated
2026-06-16
AI Q&A
2026-03-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3494
EUVD
EUVD-2026-9311
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
mariadb mariadb to 10.6.24 (inc)
mariadb mariadb From 10.7.0 (inc) to 10.11.15 (inc)
mariadb mariadb From 11.0.0 (inc) to 11.4.9 (inc)
mariadb mariadb From 11.5.0 (inc) to 11.8.5 (inc)
amazon aurora_mysql to 2.12.5 (inc)
amazon aurora_mysql From 3.01.0 (inc) to 3.04.5 (inc)
amazon aurora_mysql From 3.05.1 (inc) to 3.10.2 (inc)
amazon aurora_mysql 3.11.0
amazon relational_database_service to 10.6.24 (inc)
amazon relational_database_service From 10.11.4 (inc) to 10.11.15 (inc)
amazon relational_database_service From 11.4.3 (inc) to 11.4.9 (inc)
amazon relational_database_service From 11.8.3 (inc) to 11.8.5 (inc)
amazon relational_database_service to 5.7.44-rds.20251212 (inc)
amazon relational_database_service From 8.0.11 (inc) to 8.0.44 (inc)
amazon relational_database_service From 8.4.3 (inc) to 8.4.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-778 When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in MariaDB server versions up to 11.8.5 when the server audit plugin is enabled with the server_audit_events variable configured to filter QUERY_DCL, QUERY_DDL, or QUERY_DML events.

If an authenticated database user executes a SQL statement that begins with double-hyphen (--) or hash (#) style comments, the statement is not logged by the audit plugin.

This means that certain SQL statements can bypass audit logging, potentially hiding user actions from audit records.

Impact Analysis

The vulnerability allows authenticated users to execute SQL statements that are not recorded in audit logs if those statements start with comment prefixes (-- or #).

This can lead to incomplete or missing audit trails, making it difficult to detect unauthorized or malicious database activities.

As a result, it can undermine security monitoring, forensic investigations, and accountability within the database environment.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves the MariaDB server audit plugin not logging SQL statements prefixed with double-hyphen (--) or hash (#) style comments when certain audit filters are enabled. Detection would involve verifying whether such statements are missing from audit logs despite being executed by authenticated users.

There are no specific commands provided in the available resources to detect this vulnerability directly on your system or network.

Mitigation Strategies

The recommended immediate mitigation step is to upgrade MariaDB server and related Amazon RDS/Aurora MySQL/MariaDB versions to the fixed versions where this vulnerability is resolved.

  • Upgrade MariaDB Server to versions later than 11.8.5, such as 11.8.6 or newer.
  • Upgrade Amazon Aurora MySQL to versions 2.12.6, 3.04.6, 3.10.3, or 3.11.1 and later.
  • Upgrade Amazon RDS for MySQL to versions 5.7.44-RDS.20260212, 8.0.45, or 8.4.8 and later.
  • Upgrade Amazon RDS for MariaDB to versions 10.6.25, 10.11.16, 11.4.10, or 11.8.6 and later.

No known workarounds exist, so applying these upgrades is strongly recommended. Additionally, users maintaining forked or derivative code should apply necessary patches to incorporate these fixes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3494. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart