CVE-2026-3494

Description

In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

Low

User Interaction

None

Confidentiality (Vulnerable System)

None

Integrity (Vulnerable System)

Low

Availability (Vulnerable System)

None

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected products

Amazon / Aurora MySQL2.12.6 – 2.12.6
Amazon / Aurora MySQL3.11.1 – 3.11.1
Amazon / Aurora MySQL3.10.3 – 3.10.3
Amazon / Aurora MySQL3.04.6 – 3.04.6
Amazon / RDS for MariaDB11.8.6 – 11.8.6
Amazon / RDS for MariaDB10.6.25 – 10.6.25
Amazon / RDS for MariaDB10.11.16 – 10.11.16
Amazon / RDS for MariaDB11.4.10 – 11.4.10
Amazon / RDS for MySQL5.7.44-RDS.20260212 – 5.7.44-RDS.20260212
Amazon / RDS for MySQL8.0.45 – 8.0.45
Amazon / RDS for MySQL8.4.8 – 8.4.8
MariaDB Foundation / MariaDB Server10.6.25 – 10.6.25
MariaDB Foundation / MariaDB Server11.8.6 – 11.8.6
MariaDB Foundation / MariaDB Server11.4.10 – 11.4.10
MariaDB Foundation / MariaDB Server10.11.16 – 10.11.16

Description

CVSS breakdown

Affected products

References