Skip to main content

MySQL Router EUVDEUVD-2026-37353

| CVE-2026-46860 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Oracle states HTTP-reachable, unauthenticated, easily exploitable takeover of the Router process, justifying AV:N/AC:L/PR:N/UI:N and C:H/I:H/A:H within the Router's own scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 22:40 vuln.today
CVE Published
Jun 16, 2026 - 19:27 cve.org
CRITICAL 9.8

DescriptionCVE.org

Vulnerability in the MySQL Router product of Oracle MySQL (component: Router: General). Supported versions that are affected are 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise MySQL Router. Successful attacks of this vulnerability can result in takeover of MySQL Router. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle MySQL Router 9.0.0 through 9.7.0 is possible by unauthenticated attackers reaching the Router over HTTP, per Oracle's Critical Patch Update advisory (CPU June 2026). Oracle scores this 9.8 CVSS 3.1 with full confidentiality, integrity, and availability impact, and rates exploitation as easy. No public exploit identified at time of analysis and the CVE is not present in CISA KEV, but the network-reachable, no-auth, low-complexity profile makes it a high-priority patch.

Technical ContextAI

MySQL Router is the lightweight middleware that sits between MySQL clients and InnoDB Cluster / ReplicaSet / ClusterSet backends, performing connection routing, load balancing, and failover. The affected component is identified by Oracle as 'Router: General', and the affected CPE is cpe:2.3:a:oracle_corporation:mysql_router:*. The vulnerability is reached over HTTP, which in MySQL Router typically corresponds to its embedded REST/HTTP server used for health, metadata, and monitoring endpoints (the http_server / rest_api plugins). No CWE is assigned in the input, so the precise weakness class (authentication bypass, deserialization, command injection, etc.) is not disclosed; Oracle's CPU notes generally withhold technical detail until customers have patched.

RemediationAI

Apply the fix from Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); the input does not enumerate an exact fixed version, so this should be recorded as 'Patch available per vendor advisory' and the precise post-9.7.0 fixed release confirmed directly from the CPU matrix before deployment. As a compensating control until patching, restrict network access to the MySQL Router HTTP/REST endpoint to management hosts only via host firewall or security group rules, or disable the http_server / rest_api plugins in mysqlrouter.conf if monitoring and REST-driven orchestration are not in use - note this will break Router metrics scraping and any tooling that drives Router via its REST API. Do not expose MySQL Router's HTTP port to untrusted networks under any circumstances.

Share

EUVD-2026-37353 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy