Bulletin ID: 2026-006-AWS
Scope: AWS
Content Type: Informational
Publication Date: 03/03/2026 10:15 AM PST
 

Description:

Amazon RDS/Aurora is a managed relational database service. We identified CVE-2026-3494. In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.

Impacted versions:

• MariaDB Server (10.6.24 and prior, 10.11.15 and prior, 11.4.9 and prior, and 11.8.5 and prior)
• Amazon Aurora MySQL (2.12.5 and prior, 3.01.0 to 3.04.5, 3.05.1 to 3.10.2, and 3.11.0)
• Amazon RDS for MySQL (5.7.44-RDS.20251212 and prior, 8.0.11 to 8.0.44, and 8.4.3 to 8.4.7)
• Amazon RDS for MariaDB (10.6.24 and prior, 10.11.4 to 10.11.15, 11.4.3 to 11.4.9, and 11.8.3 to 11.8.5)

Resolution:

This issue has been addressed in the following versions:

• Amazon Aurora MySQL (2.12.6, 3.04.6, 3.10.3, and 3.11.1)
• Amazon RDS for MySQL (5.7.44-RDS.20260212, 8.0.45, and 8.4.8)
• Amazon RDS for MariaDB (10.6.25, 10.11.16, 11.4.10, and 11.8.6)

We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds:

There are no known workarounds.

Reference:

• CVE-2026-3494
   

Please email aws-security@amazon.com with any security questions or concerns.