Vulnerability-Lookup

CVE-2026-3494 (GCVE-0-2026-3494)

Vulnerability from cvelistv5 – Published: 2026-03-03 18:12 – Updated: 2026-03-03 22:56

Title

MariaDB Server Audit Plugin Comment Handling Bypass

Summary

In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

5.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

CWE

CWE-778 - (Insufficient Logging)

Assigner

AMZN

References

URL

Tags

https://aws.amazon.com/security/security-bulletin…

vendor-advisory

Impacted products

Vendor

Product

Version

MariaDB Foundation

MariaDB Server

Unaffected: 10.6.25
Unaffected: 10.11.16
Unaffected: 11.4.10
Unaffected: 11.8.6

Amazon	Aurora MySQL	Unaffected: 2.12.6 Unaffected: 3.04.6 Unaffected: 3.10.3 Unaffected: 3.11.1
Amazon	RDS for MySQL	Unaffected: 5.7.44-RDS.20260212 Unaffected: 8.0.45 Unaffected: 8.4.8
Amazon	RDS for MariaDB	Unaffected: 10.6.25 Unaffected: 10.11.16 Unaffected: 11.4.10 Unaffected: 11.8.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3494",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-03T18:56:25.959459Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-03T18:56:35.946Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "MariaDB Server",
          "vendor": "MariaDB Foundation",
          "versions": [
            {
              "status": "unaffected",
              "version": "10.6.25"
            },
            {
              "status": "unaffected",
              "version": "10.11.16"
            },
            {
              "status": "unaffected",
              "version": "11.4.10"
            },
            {
              "status": "unaffected",
              "version": "11.8.6"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Aurora MySQL",
          "vendor": "Amazon",
          "versions": [
            {
              "status": "unaffected",
              "version": "2.12.6"
            },
            {
              "status": "unaffected",
              "version": "3.04.6"
            },
            {
              "status": "unaffected",
              "version": "3.10.3"
            },
            {
              "status": "unaffected",
              "version": "3.11.1"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RDS for MySQL",
          "vendor": "Amazon",
          "versions": [
            {
              "status": "unaffected",
              "version": "5.7.44-RDS.20260212"
            },
            {
              "status": "unaffected",
              "version": "8.0.45"
            },
            {
              "status": "unaffected",
              "version": "8.4.8"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RDS for MariaDB",
          "vendor": "Amazon",
          "versions": [
            {
              "status": "unaffected",
              "version": "10.6.25"
            },
            {
              "status": "unaffected",
              "version": "10.11.16"
            },
            {
              "status": "unaffected",
              "version": "11.4.10"
            },
            {
              "status": "unaffected",
              "version": "11.8.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIn MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (\u2014) or hash (#) style comments, the statement is not logged.\u003c/p\u003e"
            }
          ],
          "value": "In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (\u2014) or hash (#) style comments, the statement is not logged."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-93",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-93 (Log Injection-Tampering-Forging)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-778",
              "description": "CWE-778 (Insufficient Logging)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-03T22:56:22.439Z",
        "orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "shortName": "AMZN"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://aws.amazon.com/security/security-bulletins/2026-006-AWS/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "MariaDB Server Audit Plugin Comment Handling Bypass",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
    "assignerShortName": "AMZN",
    "cveId": "CVE-2026-3494",
    "datePublished": "2026-03-03T18:12:12.361Z",
    "dateReserved": "2026-03-03T17:26:55.939Z",
    "dateUpdated": "2026-03-03T22:56:22.439Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-3494\",\"sourceIdentifier\":\"ff89ba41-3aa1-4d27-914a-91399e9639e5\",\"published\":\"2026-03-03T20:16:50.667\",\"lastModified\":\"2026-03-09T18:12:26.383\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (\u2014) or hash (#) style comments, the statement is not logged.\"},{\"lang\":\"es\",\"value\":\"En la versi\u00f3n del servidor MariaDB hasta la 11.8.5, cuando el plugin de auditor\u00eda del servidor est\u00e1 habilitado con la variable server_audit_events configurada con el filtrado QUERY_DCL, QUERY_DDL o QUERY_DML, si un usuario de base de datos autenticado invoca una instrucci\u00f3n SQL prefijada con comentarios estilo doble guion (\u2014) o almohadilla (#), la instrucci\u00f3n no se registra.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"ff89ba41-3aa1-4d27-914a-91399e9639e5\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"ff89ba41-3aa1-4d27-914a-91399e9639e5\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"ff89ba41-3aa1-4d27-914a-91399e9639e5\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-778\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"10.6.24\",\"matchCriteriaId\":\"8A30EA78-32F5-4C1B-A67A-23DC6C7B72EB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.7.0\",\"versionEndIncluding\":\"10.11.15\",\"matchCriteriaId\":\"332B395C-4839-4615-B00B-E4D441F2CD0A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndIncluding\":\"11.4.9\",\"matchCriteriaId\":\"A26387F9-8443-4057-A5E1-441377F32CDB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.5.0\",\"versionEndIncluding\":\"11.8.5\",\"matchCriteriaId\":\"A2088E08-6CAF-4EA5-BF0D-1E5F7D895EAE\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:amazon:aurora_mysql:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.12.5\",\"matchCriteriaId\":\"47D5C055-479D-48B1-9A1B-96A03A991BF7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:amazon:aurora_mysql:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.01.0\",\"versionEndIncluding\":\"3.04.5\",\"matchCriteriaId\":\"AE644D3A-3533-42D9-9CF6-9ED557973FDC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:amazon:aurora_mysql:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.05.1\",\"versionEndIncluding\":\"3.10.2\",\"matchCriteriaId\":\"71F2AFB8-E9B5-41BB-9FA6-5FD6DF742609\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:amazon:aurora_mysql:3.11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A6548276-890D-4BAA-B63C-2589276CB05B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mysql:*:*\",\"versionEndIncluding\":\"5.7.44-rds.20251212\",\"matchCriteriaId\":\"19020403-62DD-4582-94FC-C942145BE41C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mariadb:*:*\",\"versionEndIncluding\":\"10.6.24\",\"matchCriteriaId\":\"D726E50A-7EF5-416D-A87A-2BF960AD2FE8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mysql:*:*\",\"versionStartIncluding\":\"8.0.11\",\"versionEndIncluding\":\"8.0.44\",\"matchCriteriaId\":\"D0E5AB60-5EAB-4425-A5ED-D7A4C885412B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mysql:*:*\",\"versionStartIncluding\":\"8.4.3\",\"versionEndIncluding\":\"8.4.7\",\"matchCriteriaId\":\"245D28E5-72B2-425D-B45A-A8FF86253512\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mariadb:*:*\",\"versionStartIncluding\":\"10.11.4\",\"versionEndIncluding\":\"10.11.15\",\"matchCriteriaId\":\"231A1730-3772-4CBD-9987-88261193DE56\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mariadb:*:*\",\"versionStartIncluding\":\"11.4.3\",\"versionEndIncluding\":\"11.4.9\",\"matchCriteriaId\":\"BAFD31F7-359F-4CC7-8DDF-4543EB8478D7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mariadb:*:*\",\"versionStartIncluding\":\"11.8.3\",\"versionEndIncluding\":\"11.8.5\",\"matchCriteriaId\":\"06BB3DE6-41A1-4D83-B3ED-E3200E8A414B\"}]}]}],\"references\":[{\"url\":\"https://aws.amazon.com/security/security-bulletins/2026-006-AWS/\",\"source\":\"ff89ba41-3aa1-4d27-914a-91399e9639e5\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-3494\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-03T18:56:25.959459Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-03T18:56:28.318Z\"}}], \"cna\": {\"title\": \"MariaDB Server Audit Plugin Comment Handling Bypass\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-93\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-93 (Log Injection-Tampering-Forging)\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"MariaDB Foundation\", \"product\": \"MariaDB Server\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"10.6.25\"}, {\"status\": \"unaffected\", \"version\": \"10.11.16\"}, {\"status\": \"unaffected\", \"version\": \"11.4.10\"}, {\"status\": \"unaffected\", \"version\": \"11.8.6\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Amazon\", \"product\": \"Aurora MySQL\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"2.12.6\"}, {\"status\": \"unaffected\", \"version\": \"3.04.6\"}, {\"status\": \"unaffected\", \"version\": \"3.10.3\"}, {\"status\": \"unaffected\", \"version\": \"3.11.1\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Amazon\", \"product\": \"RDS for MySQL\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"5.7.44-RDS.20260212\"}, {\"status\": \"unaffected\", \"version\": \"8.0.45\"}, {\"status\": \"unaffected\", \"version\": \"8.4.8\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Amazon\", \"product\": \"RDS for MariaDB\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"10.6.25\"}, {\"status\": \"unaffected\", \"version\": \"10.11.16\"}, {\"status\": \"unaffected\", \"version\": \"11.4.10\"}, {\"status\": \"unaffected\", \"version\": \"11.8.6\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://aws.amazon.com/security/security-bulletins/2026-006-AWS/\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (\\u2014) or hash (#) style comments, the statement is not logged.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIn MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (\\u2014) or hash (#) style comments, the statement is not logged.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-778\", \"description\": \"CWE-778 (Insufficient Logging)\"}]}], \"providerMetadata\": {\"orgId\": \"ff89ba41-3aa1-4d27-914a-91399e9639e5\", \"shortName\": \"AMZN\", \"dateUpdated\": \"2026-03-03T22:56:22.439Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-3494\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-03T22:56:22.439Z\", \"dateReserved\": \"2026-03-03T17:26:55.939Z\", \"assignerOrgId\": \"ff89ba41-3aa1-4d27-914a-91399e9639e5\", \"datePublished\": \"2026-03-03T18:12:12.361Z\", \"assignerShortName\": \"AMZN\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

MSRC_CVE-2026-3494

Vulnerability from csaf_microsoft - Published: 2026-03-02 00:00 - Updated: 2026-03-11 01:01

Summary

MariaDB Server Audit Plugin Comment Handling Bypass

Notes

Additional Resources

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer

The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2026-3494 MariaDB Server Audit Plugin Comment Handling Bypass - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-3494.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "MariaDB Server Audit Plugin Comment Handling Bypass",
    "tracking": {
      "current_release_date": "2026-03-11T01:01:52.000Z",
      "generator": {
        "date": "2026-03-11T07:01:55.565Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2026-3494",
      "initial_release_date": "2026-03-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-03-07T01:04:40.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2026-03-10T01:38:06.000Z",
          "legacy_version": "2",
          "number": "2",
          "summary": "Information published."
        },
        {
          "date": "2026-03-11T01:01:52.000Z",
          "legacy_version": "3",
          "number": "3",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "2.0",
                "product": {
                  "name": "CBL Mariner 2.0",
                  "product_id": "17086"
                }
              },
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 mariadb 10.6.24-1",
                "product": {
                  "name": "\u003ccbl2 mariadb 10.6.24-1",
                  "product_id": "2"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 mariadb 10.6.24-1",
                "product": {
                  "name": "cbl2 mariadb 10.6.24-1",
                  "product_id": "20778"
                }
              },
              {
                "category": "product_version_range",
                "name": "azl3 mariadb 10.11.15-1",
                "product": {
                  "name": "azl3 mariadb 10.11.15-1",
                  "product_id": "1"
                }
              }
            ],
            "category": "product_name",
            "name": "mariadb"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 mariadb 10.6.24-1 as a component of CBL Mariner 2.0",
          "product_id": "17086-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 mariadb 10.6.24-1 as a component of CBL Mariner 2.0",
          "product_id": "20778-17086"
        },
        "product_reference": "20778",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 mariadb 10.11.15-1 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-3494",
      "cwe": {
        "id": "CWE-778",
        "name": "Insufficient Logging"
      },
      "notes": [
        {
          "category": "general",
          "text": "AMZN",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "fixed": [
          "20778-17086"
        ],
        "known_affected": [
          "17086-2",
          "17084-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-3494 MariaDB Server Audit Plugin Comment Handling Bypass - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-3494.json"
        }
      ],
      "remediations": [
        {
          "category": "none_available",
          "date": "2026-03-07T01:04:40.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-1"
          ]
        },
        {
          "category": "vendor_fix",
          "date": "2026-03-07T01:04:40.000Z",
          "details": "10.6.25-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-2"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "environmentalsScore": 0.0,
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 4.3,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "17086-2",
            "17084-1"
          ]
        }
      ],
      "title": "MariaDB Server Audit Plugin Comment Handling Bypass"
    }
  ]
}

GHSA-QMJM-438J-W485

Vulnerability from github – Published: 2026-03-03 21:31 – Updated: 2026-03-03 21:31

Details

Severity ?

4.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

5.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-3494"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-778"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-03T20:16:50Z",
    "severity": "MODERATE"
  },
  "details": "In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (\u2014) or hash (#) style comments, the statement is not logged.",
  "id": "GHSA-qmjm-438j-w485",
  "modified": "2026-03-03T21:31:16Z",
  "published": "2026-03-03T21:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3494"
    },
    {
      "type": "WEB",
      "url": "https://aws.amazon.com/security/security-bulletins/2026-006-AWS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

FKIE_CVE-2026-3494

Vulnerability from fkie_nvd - Published: 2026-03-03 20:16 - Updated: 2026-03-09 18:12

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Summary

References

	URL	Tags
	ff89ba41-3aa1-4d27-914a-91399e9639e5	https://aws.amazon.com/security/security-bulletins/2026-006-AWS/	Third Party Advisory

Impacted products

Vendor	Product	Version
mariadb	mariadb	*
mariadb	mariadb	*
mariadb	mariadb	*
mariadb	mariadb	*
amazon	aurora_mysql	*
amazon	aurora_mysql	*
amazon	aurora_mysql	*
amazon	aurora_mysql	3.11.0
amazon	relational_database_service	*
amazon	relational_database_service	*
amazon	relational_database_service	*
amazon	relational_database_service	*
amazon	relational_database_service	*
amazon	relational_database_service	*
amazon	relational_database_service	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8A30EA78-32F5-4C1B-A67A-23DC6C7B72EB",
              "versionEndIncluding": "10.6.24",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "332B395C-4839-4615-B00B-E4D441F2CD0A",
              "versionEndIncluding": "10.11.15",
              "versionStartIncluding": "10.7.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A26387F9-8443-4057-A5E1-441377F32CDB",
              "versionEndIncluding": "11.4.9",
              "versionStartIncluding": "11.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2088E08-6CAF-4EA5-BF0D-1E5F7D895EAE",
              "versionEndIncluding": "11.8.5",
              "versionStartIncluding": "11.5.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:amazon:aurora_mysql:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "47D5C055-479D-48B1-9A1B-96A03A991BF7",
              "versionEndIncluding": "2.12.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:amazon:aurora_mysql:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AE644D3A-3533-42D9-9CF6-9ED557973FDC",
              "versionEndIncluding": "3.04.5",
              "versionStartIncluding": "3.01.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:amazon:aurora_mysql:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "71F2AFB8-E9B5-41BB-9FA6-5FD6DF742609",
              "versionEndIncluding": "3.10.2",
              "versionStartIncluding": "3.05.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:amazon:aurora_mysql:3.11.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A6548276-890D-4BAA-B63C-2589276CB05B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mysql:*:*",
              "matchCriteriaId": "19020403-62DD-4582-94FC-C942145BE41C",
              "versionEndIncluding": "5.7.44-rds.20251212",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mariadb:*:*",
              "matchCriteriaId": "D726E50A-7EF5-416D-A87A-2BF960AD2FE8",
              "versionEndIncluding": "10.6.24",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mysql:*:*",
              "matchCriteriaId": "D0E5AB60-5EAB-4425-A5ED-D7A4C885412B",
              "versionEndIncluding": "8.0.44",
              "versionStartIncluding": "8.0.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mysql:*:*",
              "matchCriteriaId": "245D28E5-72B2-425D-B45A-A8FF86253512",
              "versionEndIncluding": "8.4.7",
              "versionStartIncluding": "8.4.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mariadb:*:*",
              "matchCriteriaId": "231A1730-3772-4CBD-9987-88261193DE56",
              "versionEndIncluding": "10.11.15",
              "versionStartIncluding": "10.11.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mariadb:*:*",
              "matchCriteriaId": "BAFD31F7-359F-4CC7-8DDF-4543EB8478D7",
              "versionEndIncluding": "11.4.9",
              "versionStartIncluding": "11.4.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mariadb:*:*",
              "matchCriteriaId": "06BB3DE6-41A1-4D83-B3ED-E3200E8A414B",
              "versionEndIncluding": "11.8.5",
              "versionStartIncluding": "11.8.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (\u2014) or hash (#) style comments, the statement is not logged."
    },
    {
      "lang": "es",
      "value": "En la versi\u00f3n del servidor MariaDB hasta la 11.8.5, cuando el plugin de auditor\u00eda del servidor est\u00e1 habilitado con la variable server_audit_events configurada con el filtrado QUERY_DCL, QUERY_DDL o QUERY_DML, si un usuario de base de datos autenticado invoca una instrucci\u00f3n SQL prefijada con comentarios estilo doble guion (\u2014) o almohadilla (#), la instrucci\u00f3n no se registra."
    }
  ],
  "id": "CVE-2026-3494",
  "lastModified": "2026-03-09T18:12:26.383",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "type": "Secondary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-03T20:16:50.667",
  "references": [
    {
      "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://aws.amazon.com/security/security-bulletins/2026-006-AWS/"
    }
  ],
  "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-778"
        }
      ],
      "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

bit-mariadb-2026-3494

Vulnerability from bitnami_vulndb

Published

2026-03-10 08:46

Modified

2026-03-10 09:11

Summary

MariaDB Server Audit Plugin Comment Handling Bypass

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "mariadb",
        "purl": "pkg:bitnami/mariadb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.6.25"
            },
            {
              "introduced": "10.7.0"
            },
            {
              "fixed": "10.11.16"
            },
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.4.10"
            },
            {
              "introduced": "11.5.0"
            },
            {
              "fixed": "11.8.6"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "type": "CVSS_V4"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-3494"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
  },
  "details": "In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (\u2014) or hash (#) style comments, the statement is not logged.",
  "id": "BIT-mariadb-2026-3494",
  "modified": "2026-03-10T09:11:39.609Z",
  "published": "2026-03-10T08:46:18.025Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://aws.amazon.com/security/security-bulletins/2026-006-AWS/"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3494"
    }
  ],
  "schema_version": "1.6.2",
  "summary": "MariaDB Server Audit Plugin Comment Handling Bypass"
}

CERTFR-2026-AVI-0258

Vulnerability from certfr_avis - Published: 2026-03-10 - Updated: 2026-03-10

Une vulnérabilité a été découverte dans Microsoft CBL-Mariner. Elle permet à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Microsoft	N/A	cbl2 mariadb 10.6.24-1 versions antérieures à 10.6.25-1

References

Title

Publication Time

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-3494 (GCVE-0-2026-3494)

MSRC_CVE-2026-3494

GHSA-QMJM-438J-W485

FKIE_CVE-2026-3494

bit-mariadb-2026-3494

Vulnerability from bitnami_vulndb

CERTFR-2026-AVI-0258

Solutions

Tags

Sightings

Nomenclature