CVE Catalog

CVE-2026-3494

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

19th percentile - higher than 19% of all known CVEs

Summary

In MariaDB server up to version 11.8.5, when the server audit plugin is enabled with the server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, an authenticated database user can invoke a SQL statement prefixed with double-hyphen (--) or hash (#) style comments, which is not logged.

Risk Assessment

The risk is that administrators may lack full visibility into database user actions, potentially missing unauthorized or malicious SQL queries, compromising data integrity and security.

Recommendation

It is recommended to upgrade MariaDB server to version 11.8.6 or later, which includes a fix for this behavior, and verify the audit plugin configuration.

Original NVD description (English source)

In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS