CVE-2026-3494

Summary

In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.

Affected Software

VendorProductVersion RangeStatus
MariaDB FoundationMariaDB Server10.6.25unaffected
MariaDB FoundationMariaDB Server10.11.16unaffected
MariaDB FoundationMariaDB Server11.4.10unaffected
MariaDB FoundationMariaDB Server11.8.6unaffected
AmazonAurora MySQL2.12.6unaffected
AmazonAurora MySQL3.04.6unaffected
AmazonAurora MySQL3.10.3unaffected
AmazonAurora MySQL3.11.1unaffected
AmazonRDS for MySQL5.7.44-RDS.20260212unaffected
AmazonRDS for MySQL8.0.45unaffected
AmazonRDS for MySQL8.4.8unaffected
AmazonRDS for MariaDB10.6.25unaffected
AmazonRDS for MariaDB10.11.16unaffected
AmazonRDS for MariaDB11.4.10unaffected
AmazonRDS for MariaDB11.8.6unaffected

Weaknesses

  • CWE-778: CWE-778 (Insufficient Logging)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References