Unrated severityNVD Advisory· Published Mar 3, 2026· Updated Mar 16, 2026

MariaDB Server Audit Plugin Comment Handling Bypass

CVE-2026-3494

Description

In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.

Affected products

Amazon/Aurora MySQLv5
Range: 2.12.6
Amazon/RDS for MariaDBv5
Range: 10.6.25
Amazon/RDS for MySQLv5
Range: 5.7.44-RDS.20260212
MariaDB Foundation/MariaDB Serverv5
Range: 10.6.25

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/MariaDB/server/commit/635559a2ad68a5a6d1a354e8209c58323dba0261mitrepatch
github.com/aws/audit-plugin-for-mysql/commit/01e25a5cb1073f131eea774c06c8a056b1e4b2ffmitrepatch
aws.amazon.com/security/security-bulletins/2026-006-AWS/mitrevendor-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000