CVE-2026-3494 — Insufficient Logging in Relational Database Service

CWE-778 — Insufficient Logging CWE-1286 — Improper Validation of Syntactic Correctness of Input10 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 97.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Amazon Aurora Mysql Amazon Relational Database Service Mariadb

Timeline

PublishedMar 3

Latest updateMar 10

Description

In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDmariadb/mariadb10.7.0 — 10.11.15+3

▶NVDamazon/relational_database_service8.0.11 — 8.0.44+6

▶NVDamazon/aurora_mysql3.01.0 — 3.04.5+3

🔴Vulnerability Details

GHSA

GHSA-qmjm-438j-w485: In MariaDB server version through 11↗2026-03-03

▶

CVEList

MariaDB Server Audit Plugin Comment Handling Bypass↗2026-03-03

▶

📋Vendor Advisories

Microsoft

MariaDB Server Audit Plugin Comment Handling Bypass↗2026-03-10

▶

Red Hat

MariaDB: MariaDB: Information disclosure due to unlogged SQL statements with comments↗2026-03-03

▶

🕵️Threat Intelligence

Bleepingcomputer

Microsoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flaws↗2026-03-10

▶

Wiz

CVE-2026-3494 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-35549 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-13699 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-32710 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶