Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
HTTP-reachable operator endpoint gives AV:N/AC:L; low-privileged creds required so PR:L; no user interaction; scope-change crosses into managed cluster data with full C/I impact and no availability effect.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Vulnerability in the MySQL NDB Cluster product of Oracle MySQL (component: Cluster: NDB Operator). Supported versions that are affected are 8.0.11-8.0.46, 8.4.0-8.4.9 and 9.0.0-9.7.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise MySQL NDB Cluster. While the vulnerability is in MySQL NDB Cluster, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL NDB Cluster accessible data as well as unauthorized access to critical data or complete access to all MySQL NDB Cluster accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).
AnalysisAI
Cross-component compromise in Oracle MySQL NDB Cluster (versions 8.0.11-8.0.46, 8.4.0-8.4.9, and 9.0.0-9.7.0) allows a low-privileged remote attacker with HTTP access to the NDB Operator component to read, modify, create, or delete all data accessible to the cluster. The scope-changed nature (S:C) means successful attacks reach beyond the NDB Cluster boundary into adjacent products. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must have network reachability to the MySQL NDB Cluster's NDB Operator HTTP interface and must hold low-privilege credentials valid against that interface (PR:L, not PR:N), so fully unauthenticated exploitation is not indicated by the CVSS vector despite the 'Authentication Bypass' tag. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All signals converge on high real-world risk: CVSS 3.1 9.6 with AV:N/AC:L/PR:L/UI:N indicates trivially exploitable over the network by any user holding minimal credentials, S:C extends blast radius beyond the vulnerable component, and C:H/I:H mean full read and tamper of cluster data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A tenant in a shared Kubernetes cluster, or a compromised CI/CD service account with minimal credentials to the namespace running the NDB Operator, sends a crafted HTTP request to the operator's control endpoint and abuses the authorization flaw to read and rewrite NDB Cluster data outside its intended scope. Because the scope changes (S:C), the impact extends beyond the operator's own permissions to all data managed by the NDB Cluster it controls, including data belonging to other tenants or applications. … |
| Remediation | Apply the fixed releases shipped in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) - upgrade past 8.0.46 on the 8.0 train, past 8.4.9 on the 8.4 train, and past 9.7.0 on the 9.x train (exact fixed build numbers should be taken directly from the Oracle advisory rather than inferred). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all MySQL NDB Cluster instances in production and non-production environments, documenting which are running affected versions (8.0.11-8.0.46, 8.4.0-8.4.9, 9.0.0-9.7.0). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37354