CVE-2026-3494

Published: March 13, 2026Last modified: March 13, 2026

Description

In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.

Severity score breakdown

Parameter	Value
Base score	4.3
Attack Vector	NETWORK
Attack complexity	LOW
Privileges required	LOW
User interaction	NONE
Scope	UNCHANGED
Confidentiality	NONE
Integrity impact	LOW
Availability impact	NONE
Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Status

Product	Release	Package	Status
Alpaquita Linux	23 LTS	mariadb	Fixed (10.6.25-r0)
	25 LTS	mariadb	Fixed (11.4.10-r0)
	Stream	mariadb	Fixed (11.8.6-r0)

References

https://aws.amazon.com/security/security-bulletins/2026-006-AWS/
https://github.com/MariaDB/server/commit/635559a2ad68a5a6d1a354e8209c58323dba0261
https://github.com/aws/audit-plugin-for-mysql/commit/01e25a5cb1073f131eea774c06c8a056b1e4b2ff