Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
5.3

MariaDB Audit Plugin Fails to Log Certain SQL Statements

CVE-2026-3494 BIT-mariadb-min-2026-3494
Summary

An attacker can bypass logging of SQL statements in MariaDB if they start with a comment. This could allow unauthorized activity to remain hidden. To protect your database, ensure the server audit plugin is properly configured to log all relevant SQL statements.

What to do
  • Update mysql-client to version 12.0.2.
  • Update mariadb to version 11.8.6.
  • Update mariadb-min to version 11.8.6.
Affected software
VendorProductAffected versionsFix available
mariadb mariadb <= 10.6.24
mariadb mariadb > 10.7.0 , <= 10.11.15
mariadb mariadb > 11.0.0 , <= 11.4.9
mariadb mariadb > 11.5.0 , <= 11.8.5
amazon aurora_mysql <= 2.12.5
amazon aurora_mysql > 3.01.0 , <= 3.04.5
amazon aurora_mysql > 3.05.1 , <= 3.10.2
amazon aurora_mysql 3.11.0
amazon relational_database_service <= 5.7.44-rds.20251212
amazon relational_database_service <= 10.6.24
amazon relational_database_service > 8.0.11 , <= 8.0.44
amazon relational_database_service > 8.4.3 , <= 8.4.7
amazon relational_database_service > 10.11.4 , <= 10.11.15
amazon relational_database_service > 11.4.3 , <= 11.4.9
amazon relational_database_service > 11.8.3 , <= 11.8.5
mysql-client > 10.7.0 , <= 12.0.2 12.0.2
mariadb > 11.5.0 , <= 11.8.6 11.8.6
mariadb-min > 11.5.0 , <= 11.8.6 11.8.6
Original title
MariaDB Server Audit Plugin Comment Handling Bypass
Original description
In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.
nvd CVSS3.1 4.3
nvd CVSS4.0 5.3
Vulnerability type
CWE-778
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026