Description
In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.
Published: 2026-03-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Audit log bypass for authenticated users
Action: Apply patch when available
AI Analysis

Impact

In MariaDB Server versions through 11.8.5, enabling the server audit plugin with filtering of DCL, DDL, or DML events allows an authenticated user to prefix a statement with double‑hyphen or hash comments. Because the audit subsystem ignores any statement that begins with a comment, that statement is omitted from audit records, creating a potential audit log bypass.

Affected Systems

Settings apply to MariaDB Server up to version 11.8.5, the MariaDB Foundation product, and Amazon deployments that embed this server such as Amazon Aurora MySQL, Amazon RDS for MariaDB, and Amazon RDS for MySQL. No fixed version is identified in the data.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1 % suggests a very low probability of exploitation. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an authenticated user could use the comment bypass to conceal database operations from audit logs, potentially enabling stealthy activity. The overall risk is considered moderate because the CVSS rating and the low EPSS score offset the potential impact that could be achieved if exploited.

Generated by OpenCVE AI on April 18, 2026 at 10:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MariaDB Server to a version later than 11.8.5 where the issue is fixed (e.g., 11.8.6 or newer).
  • If an upgrade is not immediately possible, temporarily disable the audit plugin for authenticated users capable of submitting comment‑prefixed statements or implement application‑level input validation to strip or reject comments before execution.
  • Set up monitoring or alerting to detect missing audit entries for DCL, DDL, or DML operations, and review any gaps in audit logs for suspicious activity.

Generated by OpenCVE AI on April 18, 2026 at 10:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
References

Mon, 09 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Amazon aurora Mysql
Amazon relational Database Service
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:amazon:aurora_mysql:*:*:*:*:*:*:*:*
cpe:2.3:a:amazon:aurora_mysql:3.11.0:*:*:*:*:*:*:*
cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mariadb:*:*
cpe:2.3:a:amazon:relational_database_service:*:*:*:*:*:mysql:*:*
cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*
Vendors & Products Amazon aurora Mysql
Amazon relational Database Service

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Amazon
Amazon aurora
Amazon rds For Mariadb
Amazon rds For Mysql
Mariadb
Mariadb mariadb
Vendors & Products Amazon
Amazon aurora
Amazon rds For Mariadb
Amazon rds For Mysql
Mariadb
Mariadb mariadb

Wed, 04 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1286
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 03 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Description In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.
Title MariaDB Server Audit Plugin Comment Handling Bypass
Weaknesses CWE-778
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Amazon Aurora Aurora Mysql Rds For Mariadb Rds For Mysql Relational Database Service
Mariadb Mariadb
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-03-16T17:03:08.613Z

Reserved: 2026-03-03T17:26:55.939Z

Link: CVE-2026-3494

cve-icon Vulnrichment

Updated: 2026-03-03T18:56:28.318Z

cve-icon NVD

Status : Modified

Published: 2026-03-03T20:16:50.667

Modified: 2026-03-16T18:16:09.707

Link: CVE-2026-3494

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-03T18:12:12Z

Links: CVE-2026-3494 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:15:25Z

Weaknesses