CVE-2026-3494
Logging Bypass in MariaDB Server Audit Plugin via Commented Queries
Publication date: 2026-03-03
Last updated on: 2026-03-16
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mariadb | mariadb | to 10.6.24 (inc) |
| mariadb | mariadb | From 10.7.0 (inc) to 10.11.15 (inc) |
| mariadb | mariadb | From 11.0.0 (inc) to 11.4.9 (inc) |
| mariadb | mariadb | From 11.5.0 (inc) to 11.8.5 (inc) |
| amazon | aurora_mysql | to 2.12.5 (inc) |
| amazon | aurora_mysql | From 3.01.0 (inc) to 3.04.5 (inc) |
| amazon | aurora_mysql | From 3.05.1 (inc) to 3.10.2 (inc) |
| amazon | aurora_mysql | 3.11.0 |
| amazon | relational_database_service | to 10.6.24 (inc) |
| amazon | relational_database_service | From 10.11.4 (inc) to 10.11.15 (inc) |
| amazon | relational_database_service | From 11.4.3 (inc) to 11.4.9 (inc) |
| amazon | relational_database_service | From 11.8.3 (inc) to 11.8.5 (inc) |
| amazon | relational_database_service | to 5.7.44-rds.20251212 (inc) |
| amazon | relational_database_service | From 8.0.11 (inc) to 8.0.44 (inc) |
| amazon | relational_database_service | From 8.4.3 (inc) to 8.4.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-778 | When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in MariaDB server versions up to 11.8.5 when the server audit plugin is enabled with the server_audit_events variable configured to filter QUERY_DCL, QUERY_DDL, or QUERY_DML events.
If an authenticated database user executes a SQL statement that begins with double-hyphen (--) or hash (#) style comments, the statement is not logged by the audit plugin.
This means that certain SQL statements can bypass audit logging, potentially hiding user actions from audit records.
How can this vulnerability impact me? :
The vulnerability allows authenticated users to execute SQL statements that are not recorded in audit logs if those statements start with comment prefixes (-- or #).
This can lead to incomplete or missing audit trails, making it difficult to detect unauthorized or malicious database activities.
As a result, it can undermine security monitoring, forensic investigations, and accountability within the database environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the MariaDB server audit plugin not logging SQL statements prefixed with double-hyphen (--) or hash (#) style comments when certain audit filters are enabled. Detection would involve verifying whether such statements are missing from audit logs despite being executed by authenticated users.
There are no specific commands provided in the available resources to detect this vulnerability directly on your system or network.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation step is to upgrade MariaDB server and related Amazon RDS/Aurora MySQL/MariaDB versions to the fixed versions where this vulnerability is resolved.
- Upgrade MariaDB Server to versions later than 11.8.5, such as 11.8.6 or newer.
- Upgrade Amazon Aurora MySQL to versions 2.12.6, 3.04.6, 3.10.3, or 3.11.1 and later.
- Upgrade Amazon RDS for MySQL to versions 5.7.44-RDS.20260212, 8.0.45, or 8.4.8 and later.
- Upgrade Amazon RDS for MariaDB to versions 10.6.25, 10.11.16, 11.4.10, or 11.8.6 and later.
No known workarounds exist, so applying these upgrades is strongly recommended. Additionally, users maintaining forked or derivative code should apply necessary patches to incorporate these fixes.