CVE-2026-3494 Overview
CVE-2026-3494 is an audit logging bypass affecting MariaDB server versions through 11.8.5. When the server audit plugin is enabled and server_audit_events is configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, statements prefixed with double-hyphen (--) or hash (#) style SQL comments are not written to the audit log. An authenticated database user can suppress audit records by simply prepending a comment to any SQL statement. The flaw also affects downstream deployments including Amazon Aurora MySQL and Amazon Relational Database Service (RDS). The issue is tracked under CWE-778: Insufficient Logging.
Critical Impact
Authenticated users can evade audit logging for DCL, DDL, and DML statements, undermining forensic visibility and compliance controls.
Affected Products
- MariaDB Server versions through 11.8.5
- Amazon Aurora MySQL (including 3.11.0)
- Amazon Relational Database Service (RDS) for MySQL and MariaDB
Discovery Timeline
- 2026-03-03 - CVE-2026-3494 published to the National Vulnerability Database (NVD)
- 2026-03-16 - Last updated in NVD database
Technical Details for CVE-2026-3494
Vulnerability Analysis
The MariaDB server audit plugin records SQL activity based on event categories selected through the server_audit_events variable. When operators configure category filters such as QUERY_DCL, QUERY_DDL, or QUERY_DML, the plugin classifies incoming statements before deciding whether to emit a log entry. The classification path does not normalize statements that begin with -- or # comment markers. As a result, the plugin fails to map these statements to the corresponding query category and silently skips logging.
An authenticated user with SELECT, INSERT, UPDATE, DELETE, or schema-modification privileges can suppress evidence of their actions by prepending a comment to each statement. The underlying query still executes normally because the SQL parser strips the leading comment before execution. Only the audit subsystem is affected.
Root Cause
The defect lies in how the audit plugin determines query type for filtering. The classifier inspects the leading tokens of the statement string but does not skip leading comment tokens. When -- or # appears at the start of the buffer, the classifier returns an unmatched category and the plugin discards the event. The fix, applied in commits to both the MariaDB server repository and the AWS audit plugin for MySQL, advances the parser past leading comments before category matching.
Attack Vector
Exploitation requires an authenticated database session over the network. No special privileges beyond standard query execution rights are needed. An attacker who has already obtained credentials, whether through phishing, credential stuffing, or insider access, can run unlogged DDL, DML, or DCL by prefixing every statement with -- or # . The vulnerability does not grant new privileges or data access. It removes the audit trail that defenders rely on for investigation and compliance reporting.
The vulnerability is described in prose only; no public proof-of-concept exploit code is referenced in the advisory. See the AWS Security Bulletin 2026-006 for vendor-confirmed technical details.
Detection Methods for CVE-2026-3494
Indicators of Compromise
- Gaps between application-side query logs and MariaDB audit log entries for the same session identifier.
- Sudden drops in audit event volume for users known to perform regular DDL or DML activity.
- Database connections that issue statements starting with -- or # immediately after authentication.
Detection Strategies
- Cross-reference audit plugin output with binary logs or general query logs, which capture statements regardless of leading comments.
- Hunt for statements containing leading -- or # sequences in network packet captures or proxy logs in front of the database.
- Alert on audit event categories returning empty results for users whose application traffic indicates active query workloads.
Monitoring Recommendations
- Forward MariaDB binary logs and general query logs to a centralized analytics platform for correlation with audit plugin output.
- Track the ratio of executed queries to logged audit events per user and alert on significant deviations.
- Monitor for changes to server_audit_events and audit plugin configuration variables that could mask the issue further.
How to Mitigate CVE-2026-3494
Immediate Actions Required
- Apply the fixed MariaDB build that includes commit 635559a2ad68a5a6d1a354e8209c58323dba0261 once released by your distribution.
- For AWS-managed services, follow the guidance in AWS Security Bulletin 2026-006 to upgrade Aurora MySQL and RDS instances to patched engine versions.
- Enable supplementary logging sources, such as the general query log or binary log, until patched versions are deployed.
- Review audit records from the exposure window and corroborate them with application-tier logs.
Patch Information
Upstream fixes are available in the MariaDB server repository and the AWS audit plugin for MySQL. The relevant commits are 635559a2 for MariaDB and 01e25a5c for the AWS audit plugin. Patched engine versions are being rolled out through Amazon Aurora MySQL and Amazon RDS per the AWS bulletin.
Workarounds
- Enable the general query log on sensitive instances to capture all executed statements, accepting the performance and storage trade-off.
- Restrict database access to known application service accounts and remove interactive user privileges where possible.
- Place a query proxy or firewall in front of the database to log and optionally reject statements that begin with -- or # comment markers.
# Example: temporarily enable the general query log on MariaDB
# until a patched build is installed.
mysql -u root -p -e "SET GLOBAL general_log_file='/var/log/mysql/general.log'; SET GLOBAL general_log='ON';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
