CVE-2026-3494

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-3494
In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.

4.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://aws.amazon.com/security/security-bulletins/2026-006-AWS/ Third Party Advisory
https://github.com/MariaDB/server/commit/635559a2ad68a5a6d1a354e8209c58323dba0261
https://github.com/aws/audit-plugin-for-mysql/commit/01e25a5cb1073f131eea774c06c8a056b1e4b2ff
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*
cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*
cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*
cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:amazon:aurora_mysql:*:*:*:*:*:*:*:*
cpe:2.3:a:amazon:aurora_mysql:*:*:*:*:*:*:*:*
cpe:2.3:a:amazon:aurora_mysql:*:*:*:*:*:*:*:*
cpe:2.3:a:amazon:aurora_mysql:3.11.0:*:*:*:*:*:*:*
cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mysql:*:*
cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mariadb:*:*
cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mysql:*:*
cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mysql:*:*
cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mariadb:*:*
cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mariadb:*:*
cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mariadb:*:*
History

16 Mar 2026, 18:16

Type Values Removed Values Added
References
  • () https://github.com/MariaDB/server/commit/635559a2ad68a5a6d1a354e8209c58323dba0261 -
  • () https://github.com/aws/audit-plugin-for-mysql/commit/01e25a5cb1073f131eea774c06c8a056b1e4b2ff -

09 Mar 2026, 18:12

Type Values Removed Values Added
References () https://aws.amazon.com/security/security-bulletins/2026-006-AWS/ - () https://aws.amazon.com/security/security-bulletins/2026-006-AWS/ - Third Party Advisory
Summary
  • (es) En la versión del servidor MariaDB hasta la 11.8.5, cuando el plugin de auditoría del servidor está habilitado con la variable server_audit_events configurada con el filtrado QUERY_DCL, QUERY_DDL o QUERY_DML, si un usuario de base de datos autenticado invoca una instrucción SQL prefijada con comentarios estilo doble guion (—) o almohadilla (#), la instrucción no se registra.
CPE cpe:2.3:a:amazon:aurora_mysql:3.11.0:*:*:*:*:*:*:*
cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mariadb:*:*
cpe:2.3:a:amazon:aurora_mysql:*:*:*:*:*:*:*:*
cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*
cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mysql:*:*
First Time Mariadb mariadb
Amazon aurora Mysql
Amazon relational Database Service
Mariadb
Amazon
CWE NVD-CWE-noinfo

03 Mar 2026, 20:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-03 20:16

Updated : 2026-03-16 18:16

NVD link : CVE-2026-3494

Mitre link : CVE-2026-3494

CVE.ORG link : CVE-2026-3494

JSON object : View

Products Affected

mariadb

  • mariadb

amazon

  • aurora_mysql
  • relational_database_service
CWE
CWE-778

Insufficient Logging

NVD-CWE-noinfo