Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Network-reachable via multiple protocols with no attacker privileges; user must trigger dump/load; only confidentiality is impacted, matching vendor-provided vector exactly.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Dump and Load). Supported versions that are affected are 8.4.0-8.4.9 and 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Shell. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).
AnalysisAI
Unauthorized access to critical data is achievable in Oracle MySQL Shell's Dump and Load component, affecting versions 8.4.0-8.4.9 and 9.0.0-9.7.0. An unauthenticated network attacker can exploit this across multiple protocols, but requires a victim user to interact - likely by connecting to or loading a dump from a malicious source. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a human user - other than the attacker - actively initiates a dump or load operation within MySQL Shell (UI:R). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.5 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N reflects a realistic mid-tier threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker operates a malicious MySQL server or a rogue S3-compatible object storage endpoint. They social-engineer or otherwise induce a database administrator to run a MySQL Shell load operation (e.g., util.loadDump()) pointed at the attacker's infrastructure. … |
| Remediation | Apply the patch released as part of Oracle's Critical Security Patch Update (CPU) for June 2026, available via the Oracle advisory at https://www.oracle.com/security-alerts/cspujun2026.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mysql Shell
View allPrivilege escalation and full takeover of Oracle MySQL Shell's VS Code extension affects version 2026.2.0+9.6.1, allowin
Takeover of Oracle MySQL Shell is possible against the Shell for VS Code component in version 2026.2.0+9.6.1, where a lo
Unauthorized data disclosure in Oracle MySQL Shell's VS Code extension component (version 2026.2.0+9.6.1) allows a low-p
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: General/Core Client). Rated low severity (CV
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37362