CVE-2026-3494: 
MariaDB Server Analisi e mitigazione delle vulnerabilità

CVE-2026-3494 is an audit logging bypass vulnerability in MariaDB Server's server audit plugin, classified as Insufficient Logging (CWE-778). When the audit plugin is enabled with server_audit_events configured to filter QUERY_DCL, QUERY_DDL, or QUERY_DML events, SQL statements prefixed with double-hyphen (--) or hash (#) style comments are silently skipped and not recorded in the audit log. The vulnerability affects MariaDB Server through version 11.8.5, as well as Amazon RDS for MariaDB, Amazon RDS for MySQL, and Amazon Aurora MySQL across multiple version ranges. It was published on March 3, 2026, with a CVSS v3.1 base score of 4.3 (Medium) and a CVSS v4.0 base score of 5.3 (Medium) (AWS Security Bulletin, MSRC Advisory).

The root cause lies in the audit plugin's own simple SQL parser, which incorrectly handled SQL comment prefixes (-- and #) when determining the statement type for event filtering. Because the plugin's internal parser — rather than the server's authoritative SQL command classification — was used to categorize queries, statements beginning with these comment styles were misclassified and excluded from logging. The fix, tracked as MDEV-38375, removes the plugin's custom parser entirely and replaces it with a call to thd_sql_command(thd), which uses the server's own command classification (MariaDB Commit, AWS Audit Plugin Commit). Exploitation requires only a low-privileged, authenticated database account and no user interaction, making it straightforward for any database user to abuse.

Successful exploitation allows an authenticated database user to execute DDL, DML, or DCL SQL statements — including potentially sensitive operations such as data modification, privilege grants, or schema changes — without those actions appearing in the audit log. This undermines compliance and forensic capabilities, as security teams and auditors cannot rely on the audit trail to detect unauthorized or malicious database activity. The integrity impact is low in terms of direct data modification, but the audit evasion capability significantly increases the risk of undetected insider threats or post-compromise lateral movement within the database environment (AWS Security Bulletin).

Upgrade to a patched version as the primary remediation — no known workarounds exist. Fixed versions include: MariaDB Server (patches available via SUSE SU-2026:2282-1 and SU-2026:2330-1, and Amazon Linux 2023 ALAS2023-2026-1811); Amazon RDS for MariaDB (10.6.25, 10.11.16, 11.4.10, 11.8.6); Amazon RDS for MySQL (5.7.44-RDS.20260212, 8.0.45, 8.4.8); Amazon Aurora MySQL (2.12.6, 3.04.6, 3.10.3, 3.11.1). Microsoft has also released patched packages for CBL-Mariadb (10.6.24-1) and AZL3 (10.11.15-1). Organizations should prioritize upgrading managed database instances and any self-hosted MariaDB deployments, and verify audit log completeness after patching (AWS Security Bulletin, MSRC Advisory, SUSE Advisory).

Amazon Web Services published a security bulletin (2026-006-AWS) on March 3, 2026, identifying and disclosing the vulnerability as the assigning CNA. Microsoft included CVE-2026-3494 in its March 2026 Patch Tuesday update cycle, which was covered by outlets including BleepingComputer and Lansweeper. SUSE issued security advisories (SUSE-SU-2026:2282-1 and SUSE-SU-2026:2330-1) for affected MariaDB packages in May 2026. Community discussion has been limited, consistent with the vulnerability's moderate severity and narrow exploitation preconditions (AWS Security Bulletin, MSRC Advisory).