Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
HTTP-reachable extension surface (AV:N), low complexity per Oracle (AC:L), requires a low-privileged session (PR:L), no user interaction, and scope-change full CIA impact via the Shell's database connections.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell for VS Code). The supported version that is affected is 2026.2.0+9.6.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Shell. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Privilege escalation and full takeover of Oracle MySQL Shell's VS Code extension affects version 2026.2.0+9.6.1, allowing a low-privileged remote attacker with HTTP network access to fully compromise the Shell with confidentiality, integrity, and availability impact. Because the CVSS vector indicates a scope change (S:C), successful exploitation propagates impact beyond the Shell itself into adjacent components the extension connects to, such as MySQL servers managed through the VS Code workflow. No public exploit identified at time of analysis, but the 9.9 base score and 'easily exploitable' wording from Oracle warrant urgent remediation.
Technical ContextAI
The affected component is the 'Shell for VS Code' module of MySQL Shell, Oracle's interactive client used by DBAs and developers to administer MySQL servers from inside Visual Studio Code. CPE cpe:2.3:a:oracle_corporation:mysql_shell:*:*:*:*:*:*:*:* names the Oracle MySQL Shell product; the EUVD record narrows the affected build to 2026.2.0+9.6.1. CWE was not assigned by Oracle, but the combination of AV:N, low privileges, and a scope change is characteristic of an HTTP-reachable management surface in the VS Code extension (such as a local-listener or session endpoint) that mishandles authorization or input, letting a holder of limited credentials pivot to full control over the Shell session and the database connections it brokers.
RemediationAI
Patch available per vendor advisory: apply the fixes published in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) for MySQL Shell, updating away from 2026.2.0+9.6.1 to the Oracle-released patched build referenced in that CPU. Until the upgrade is applied, restrict who can reach the MySQL Shell for VS Code listener - keep developer workstations off shared multi-user hosts, bind the extension's HTTP interface to localhost only via host firewall rules, and limit which accounts on a workstation can connect to the extension; note the trade-off that locking the listener to loopback will break any legitimate remote-attach or remote-IDE workflows. Revoke any low-privilege MySQL Shell credentials shared with untrusted users on the same network segment, and audit MySQL servers reachable from affected workstations for unexpected configuration or schema changes given the scope-change impact.
More in Mysql Shell
View allTakeover of Oracle MySQL Shell is possible against the Shell for VS Code component in version 2026.2.0+9.6.1, where a lo
Unauthorized data disclosure in Oracle MySQL Shell's VS Code extension component (version 2026.2.0+9.6.1) allows a low-p
Unauthorized access to critical data is achievable in Oracle MySQL Shell's Dump and Load component, affecting versions 8
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: General/Core Client). Rated low severity (CV
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37343