Skip to main content

MySQL Shell CVE-2026-46850

| EUVDEUVD-2026-37343 CRITICAL
Code Injection (CWE-94)
2026-06-16 oracle
9.9
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

HTTP-reachable extension surface (AV:N), low complexity per Oracle (AC:L), requires a low-privileged session (PR:L), no user interaction, and scope-change full CIA impact via the Shell's database connections.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 22:46 vuln.today
CVE Published
Jun 16, 2026 - 19:27 cve.org
CRITICAL 9.9

DescriptionCVE.org

Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell for VS Code). The supported version that is affected is 2026.2.0+9.6.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Shell. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Privilege escalation and full takeover of Oracle MySQL Shell's VS Code extension affects version 2026.2.0+9.6.1, allowing a low-privileged remote attacker with HTTP network access to fully compromise the Shell with confidentiality, integrity, and availability impact. Because the CVSS vector indicates a scope change (S:C), successful exploitation propagates impact beyond the Shell itself into adjacent components the extension connects to, such as MySQL servers managed through the VS Code workflow. No public exploit identified at time of analysis, but the 9.9 base score and 'easily exploitable' wording from Oracle warrant urgent remediation.

Technical ContextAI

The affected component is the 'Shell for VS Code' module of MySQL Shell, Oracle's interactive client used by DBAs and developers to administer MySQL servers from inside Visual Studio Code. CPE cpe:2.3:a:oracle_corporation:mysql_shell:*:*:*:*:*:*:*:* names the Oracle MySQL Shell product; the EUVD record narrows the affected build to 2026.2.0+9.6.1. CWE was not assigned by Oracle, but the combination of AV:N, low privileges, and a scope change is characteristic of an HTTP-reachable management surface in the VS Code extension (such as a local-listener or session endpoint) that mishandles authorization or input, letting a holder of limited credentials pivot to full control over the Shell session and the database connections it brokers.

RemediationAI

Patch available per vendor advisory: apply the fixes published in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) for MySQL Shell, updating away from 2026.2.0+9.6.1 to the Oracle-released patched build referenced in that CPU. Until the upgrade is applied, restrict who can reach the MySQL Shell for VS Code listener - keep developer workstations off shared multi-user hosts, bind the extension's HTTP interface to localhost only via host firewall rules, and limit which accounts on a workstation can connect to the extension; note the trade-off that locking the listener to loopback will break any legitimate remote-attach or remote-IDE workflows. Revoke any low-privilege MySQL Shell credentials shared with untrusted users on the same network segment, and audit MySQL servers reachable from affected workstations for unexpected configuration or schema changes given the scope-change impact.

Share

CVE-2026-46850 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy