CVE-2026-3494

Published: Mar 3, 2026

Modified: Mar 16, 2026

PUBLISHED

CVSS v3.1

4.3

MEDIUM

Description

In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.

Vendor	Product	Versions
MariaDB Foundation	MariaDB Server	unaffected `10.6.25` unaffected `10.11.16` unaffected `11.4.10` unaffected `11.8.6`
Amazon	Aurora MySQL	unaffected `2.12.6` unaffected `3.04.6` unaffected `3.10.3` unaffected `3.11.1`
Amazon	RDS for MySQL	unaffected `5.7.44-RDS.20260212` unaffected `8.0.45` unaffected `8.4.8`
Amazon	RDS for MariaDB	unaffected `10.6.25` unaffected `10.11.16` unaffected `11.4.10` unaffected `11.8.6`

Weaknesses (CWE)

CWE-778

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

https://aws.amazon.com/security/security-bulletins/2026-006-AWS/

vendor-advisory

https://github.com/MariaDB/server/commit/635559a2ad68a5a6d1a354e8209c58323dba0261

patch

https://github.com/aws/audit-plugin-for-mysql/commit/01e25a5cb1073f131eea774c06c8a056b1e4b2ff

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-3494

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References