Unrated severityNVD Advisory· Published Mar 3, 2026· Updated Mar 16, 2026
MariaDB Server Audit Plugin Comment Handling Bypass
CVE-2026-3494
Description
In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
13- osv-coords9 versionspkg:bitnami/mariadbpkg:bitnami/mariadb-minpkg:bitnami/mysql-clientpkg:rpm/opensuse/mariadb&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/mariadb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/mariadb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/mariadb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP7pkg:rpm/suse/mariadb&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/mariadb&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 10.6.25+ 8 more
- (no CPE)range: < 10.6.25
- (no CPE)range: < 10.6.25
- (no CPE)range: < 10.6.25
- (no CPE)range: < 11.8.8-160000.1.1
- (no CPE)range: < 11.8.7-1.1
- (no CPE)range: < 11.8.8-150700.3.15.1
- (no CPE)range: < 11.8.8-150700.3.15.1
- (no CPE)range: < 11.8.8-160000.1.1
- (no CPE)range: < 11.8.8-160000.1.1
- Amazon/Aurora MySQLv5Range: 2.12.6
- Amazon/RDS for MariaDBv5Range: 10.6.25
- Amazon/RDS for MySQLv5Range: 5.7.44-RDS.20260212
- MariaDB Foundation/MariaDB Serverv5Range: 10.6.25
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.