Skip to main content

MySQL Router CVE-2026-46860

| EUVDEUVD-2026-37353 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Oracle states HTTP-reachable, unauthenticated, easily exploitable takeover of the Router process, justifying AV:N/AC:L/PR:N/UI:N and C:H/I:H/A:H within the Router's own scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 22:40 vuln.today
CVE Published
Jun 16, 2026 - 19:27 cve.org
CRITICAL 9.8

DescriptionCVE.org

Vulnerability in the MySQL Router product of Oracle MySQL (component: Router: General). Supported versions that are affected are 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise MySQL Router. Successful attacks of this vulnerability can result in takeover of MySQL Router. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle MySQL Router 9.0.0 through 9.7.0 is possible by unauthenticated attackers reaching the Router over HTTP, per Oracle's Critical Patch Update advisory (CPU June 2026). Oracle scores this 9.8 CVSS 3.1 with full confidentiality, integrity, and availability impact, and rates exploitation as easy. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed MySQL Router HTTP port
Delivery
Send crafted HTTP request to Router endpoint
Exploit
Trigger unauthenticated flaw in Router: General
Execution
Achieve Router process takeover
Persist
Intercept or redirect cluster traffic
Impact
Pivot to backend MySQL data

Vulnerability AssessmentAI

Exploitation The MySQL Router HTTP listener (the http_server / REST API surface) must be reachable from the attacker over the network, and the Router must be running an affected 9.0.0-9.7.0 release; no authentication, no user interaction, and no special non-default configuration are required per CVSS PR:N/UI:N/AC:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point in the same direction: Oracle's CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H gives network reach, low complexity, no privileges, and no user interaction, with full CIA impact - meaning a single HTTP request from anywhere the Router's HTTP port is reachable can fully compromise the Router process. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reach to a MySQL Router instance sends a crafted HTTP request to the Router's HTTP listener and, without authenticating, gains control of the Router process - pivoting to intercept, redirect, or manipulate traffic flowing to the backing MySQL InnoDB Cluster. No public exploit is identified at time of analysis, but Oracle's 'easily exploitable' wording and the AV:N/AC:L/PR:N/UI:N vector imply a single-request exploitation pattern that is straightforward to weaponize once technical details surface.
Remediation Apply the fix from Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); the input does not enumerate an exact fixed version, so this should be recorded as 'Patch available per vendor advisory' and the precise post-9.7.0 fixed release confirmed directly from the CPU matrix before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running MySQL Router 9.0.0-9.7.0; immediately restrict HTTP access using network firewalls and WAF policies to trusted networks only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46860 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy