## https://sploitus.com/exploit?id=0D5A38B8-25E6-5166-A598-319442782767
# CVE-2026-3494 - MariaDB server_audit Logging Verification PoC
This project provides a specialized environment to verify and analyze a potential audit logging bypass in the MariaDB `server_audit` plugin when specific inline comments (`#`, `--`) are used within SQL queries.
---
## Key Findings
* **Logging Omission in v11.8.6**: Observed that certain queries (e.g., `SET PASSWORD` with comments or `Error 1046` cases) fail to be recorded in the audit log in MariaDB v11.8.6, which was previously considered a patched version.
* **Potential Parser Discrepancy**: Identified a potential change in the Audit Plugin's parser behavior in recent versions, where multiline comments (`#`) might cause DCL statements to be improperly processed or ignored by the auditor.
* **Version Regression Identification**: Detected a behavior where logs successfully recorded in v11.8.5 and below are omitted in v11.8.6, suggesting a possible regression in the audit logging logic.
---
## 1. Overview
* **CVE Reference**: CVE-2026-3494
* **Affected Versions**: MariaDB 11.8.5 and below (including 10.x branches)
* **Vulnerability Detail**: When `server_audit` is enabled with filters such as `QUERY_DCL`, `QUERY_DDL`, and `QUERY_DML`, certain queries containing inline comments may bypass the logging mechanism.
* **Objective**: To compare audit logging behavior across multiple MariaDB versions (vulnerable vs. patched) under identical query conditions.
---
## 2. Actual Results (Verification)
The following matrix summarizes the observed logging behavior during testing:
```text
[MariaDB 10.3.39 / 11.8.5]
- CASE #1, #2A, #2B, #3, #4 โ All LOGGED (Normal behavior)
[MariaDB 11.8.6 (Target Version)]
- CASE #2B (Error 1046) โ NOT LOGGED (Logging Omission) โ
- CASE #3 (Commented SET PASSWORD) โ NOT LOGGED (Logging Omission) โ
- CASE #1, #2A, #4 โ LOGGED (Normal behavior)
```
---
## 3. Test Environment
This project utilizes Docker Compose to run three isolated MariaDB instances:
| Version | Port | Status | Description |
| :--- | :--- | :--- | :--- |
| **MariaDB 10.3.39** | 3306 | **Vulnerable** | Legacy stable version verification |
| **MariaDB 11.8.5** | 3307 | **Vulnerable** | Latest vulnerable version verification |
| **MariaDB 11.8.6** | 3308 | **Target** | Evaluation of recent audit logging changes |
---
## 4. Setup & Execution
### 1) Infrastructure Setup (Docker)
Build and start the MariaDB containers. The environment automatically configures the `server_audit` plugin and initializes test users.
```bash
# Build and start containers
docker compose up --build -d
# Verify container status
docker ps
```
### 2) Preparation (Host)
Install the required Python dependencies:
```bash
pip install pymysql
```
### 3) Run PoC
The script can be executed from any directory within the project.
```bash
python poc/poc.py
```
---
## 5. Test Case Details
The PoC performs 5 distinct scenarios:
1. **TEST_CASE_1 (Normal)**: Standard query without comments (Control group).
2. **TEST_CASE_2_A (Error 1146)**: Query resulting in "Table doesn't exist" error.
3. **TEST_CASE_2_B (Error 1046)**: Query resulting in "No database selected" error (**Jira reproduction case**).
4. **TEST_CASE_3 (Commented SET PASSWORD)**: `SET PASSWORD` command with an embedded `#` comment (**Bypass check**).
5. **TEST_CASE_4 (Commented SELECT)**: `SELECT` statement with an embedded `#` comment (**Bypass check**).
---
## 6. Result Interpretation
* **`LOGGED`**: The query was successfully recorded in the audit log.
* **`NOT LOGGED`**: The query was omitted from the log (Potential bypass or regression).
* **`>> Actual Log`**: Displays the raw entry from `server_audit.log` in blue to verify the integrity of the recorded statement.
---
## 7. Verification Logs (Actual Evidence)
Below are the actual execution logs showing the difference between the expected behavior (11.8.5) and the logging omission (11.8.6).
MariaDB 11.8.5 (Expected Logging Behavior)
```text
[+] TEST_CASE_2_B_ERROR_1046
Result: LOGGED
>> Actual Log: | 20260504 04:45:05,...,QUERY,mysql,'SELECT * FROM user',1046
[+] TEST_CASE_3_COMMENT_SET_PASSWORD
Result: LOGGED
>> Actual Log: | 20260504 04:45:07,...,QUERY,mysql,'SET PASSWORD # CVE-2026-3494 Test ...',1133
```
MariaDB 11.8.6 (Logging Omission Observed)
```text
[+] TEST_CASE_2_B_ERROR_1046 (No database selected)
Result: NOT LOGGED
> [!TIP]
> For the complete terminal output of all test cases and versions, refer to the [Full Execution Log](results/full_execution_log.md).
---
## 8. Project Structure
```text
.
โโโ config/ # MariaDB server_audit configuration
โโโ init/ # Initialization scripts (User & Plugin setup)
โโโ logs/ # Audit log volume mounts
โโโ poc/
โ โโโ poc.py # Automated verification script
โโโ results/
โ โโโ full_execution_log.md # Detailed terminal output logs
โโโ docker-compose.yml # Multi-version environment definition
โโโ README.md # Project documentation (Current file)
```
---
## 9. Disclaimer
This project is for educational and security research purposes only. Use it responsibly and do not apply these configurations to production environments without thorough testing.