CVE-2026-3494
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| MariaDB Foundation | MariaDB Server | 10.6.25 | unaffected |
| MariaDB Foundation | MariaDB Server | 10.11.16 | unaffected |
| MariaDB Foundation | MariaDB Server | 11.4.10 | unaffected |
| MariaDB Foundation | MariaDB Server | 11.8.6 | unaffected |
| Amazon | Aurora MySQL | 2.12.6 | unaffected |
| Amazon | Aurora MySQL | 3.04.6 | unaffected |
| Amazon | Aurora MySQL | 3.10.3 | unaffected |
| Amazon | Aurora MySQL | 3.11.1 | unaffected |
| Amazon | RDS for MySQL | 5.7.44-RDS.20260212 | unaffected |
| Amazon | RDS for MySQL | 8.0.45 | unaffected |
| Amazon | RDS for MySQL | 8.4.8 | unaffected |
| Amazon | RDS for MariaDB | 10.6.25 | unaffected |
| Amazon | RDS for MariaDB | 10.11.16 | unaffected |
| Amazon | RDS for MariaDB | 11.4.10 | unaffected |
| Amazon | RDS for MariaDB | 11.8.6 | unaffected |
Weaknesses
- CWE-778: CWE-778 (Insufficient Logging)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://aws.amazon.com/security/security-bulletins/2026-006-AWS/
- https://github.com/MariaDB/server/commit/635559a2ad68a5a6d1a354e8209c58323dba0261
- https://github.com/aws/audit-plugin-for-mysql/commit/01e25a5cb1073f131eea774c06c8a056b1e4b2ff
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.