CVE-2026-3494

MariaDB Server Audit Plugin Comment Handling Bypass

Published: 3/3/2026 Last updated: 3/3/2026 Reserved: 3/3/2026

In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.

CNA assigner: AMZN (ff89ba41-3aa1-4d27-914a-91399e9639e5) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
4.0	5.3	Medium	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3.1	4.3	Medium	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Opam packages affected (2)

conf-mariadb conf-mysql

Products affected (4)

Product	Vendor	Version
MariaDB Server	MariaDB Foundation	< 10.0.22621.3880
Aurora MySQL	Amazon	< 10.0.19045.4651
RDS for MySQL	Amazon	< 10.0.22631.3880
RDS for MariaDB	Amazon	< 10.0.22631.3880

References (1)

https://aws.amazon.com/security/security-bulletins/2026-006-AWS/