Bug 2444155 (CVE-2026-3494)

Summary: CVE-2026-3494 MariaDB: MariaDB: Information disclosure due to unlogged SQL statements with comments
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in MariaDB. An authenticated database user can exploit this vulnerability by invoking SQL statements prefixed with double-hyphen (—) or hash (#) style comments. When the server audit plugin is enabled with specific event filtering, these statements are not logged. This oversight can lead to information disclosure, as critical database operations may bypass audit logging, hindering security monitoring and compliance.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2444314, 2444315, 2444316, 2444317    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-03 19:01:57 UTC 
In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.