Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Oracle states HTTP-reachable, unauthenticated, easily exploitable takeover of the Router process, justifying AV:N/AC:L/PR:N/UI:N and C:H/I:H/A:H within the Router's own scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Vulnerability in the MySQL Router product of Oracle MySQL (component: Router: General). Supported versions that are affected are 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise MySQL Router. Successful attacks of this vulnerability can result in takeover of MySQL Router. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle MySQL Router 9.0.0 through 9.7.0 is possible by unauthenticated attackers reaching the Router over HTTP, per Oracle's Critical Patch Update advisory (CPU June 2026). Oracle scores this 9.8 CVSS 3.1 with full confidentiality, integrity, and availability impact, and rates exploitation as easy. No public exploit identified at time of analysis and the CVE is not present in CISA KEV, but the network-reachable, no-auth, low-complexity profile makes it a high-priority patch.
Technical ContextAI
MySQL Router is the lightweight middleware that sits between MySQL clients and InnoDB Cluster / ReplicaSet / ClusterSet backends, performing connection routing, load balancing, and failover. The affected component is identified by Oracle as 'Router: General', and the affected CPE is cpe:2.3:a:oracle_corporation:mysql_router:*. The vulnerability is reached over HTTP, which in MySQL Router typically corresponds to its embedded REST/HTTP server used for health, metadata, and monitoring endpoints (the http_server / rest_api plugins). No CWE is assigned in the input, so the precise weakness class (authentication bypass, deserialization, command injection, etc.) is not disclosed; Oracle's CPU notes generally withhold technical detail until customers have patched.
RemediationAI
Apply the fix from Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); the input does not enumerate an exact fixed version, so this should be recorded as 'Patch available per vendor advisory' and the precise post-9.7.0 fixed release confirmed directly from the CPU matrix before deployment. As a compensating control until patching, restrict network access to the MySQL Router HTTP/REST endpoint to management hosts only via host firewall or security group rules, or disable the http_server / rest_api plugins in mysqlrouter.conf if monitoring and REST-driven orchestration are not in use - note this will break Router metrics scraping and any tooling that drives Router via its REST API. Do not expose MySQL Router's HTTP port to untrusted networks under any circumstances.
More in Mysql Router
View allSame weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37353