Skip to main content

MySQL NDB Cluster EUVDEUVD-2026-37354

| CVE-2026-46861 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.6
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
9.6 CRITICAL

HTTP-reachable operator endpoint gives AV:N/AC:L; low-privileged creds required so PR:L; no user interaction; scope-change crosses into managed cluster data with full C/I impact and no availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 22:39 vuln.today
CVE Published
Jun 16, 2026 - 19:27 cve.org
CRITICAL 9.6

DescriptionCVE.org

Vulnerability in the MySQL NDB Cluster product of Oracle MySQL (component: Cluster: NDB Operator). Supported versions that are affected are 8.0.11-8.0.46, 8.4.0-8.4.9 and 9.0.0-9.7.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise MySQL NDB Cluster. While the vulnerability is in MySQL NDB Cluster, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL NDB Cluster accessible data as well as unauthorized access to critical data or complete access to all MySQL NDB Cluster accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).

AnalysisAI

Cross-component compromise in Oracle MySQL NDB Cluster (versions 8.0.11-8.0.46, 8.4.0-8.4.9, and 9.0.0-9.7.0) allows a low-privileged remote attacker with HTTP access to the NDB Operator component to read, modify, create, or delete all data accessible to the cluster. The scope-changed nature (S:C) means successful attacks reach beyond the NDB Cluster boundary into adjacent products. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege HTTP credentials
Delivery
Reach NDB Operator endpoint
Exploit
Send crafted HTTP request
Execution
Bypass authorization check
Persist
Cross scope into managed cluster
Impact
Read and modify NDB data

Vulnerability AssessmentAI

Exploitation Attacker must have network reachability to the MySQL NDB Cluster's NDB Operator HTTP interface and must hold low-privilege credentials valid against that interface (PR:L, not PR:N), so fully unauthenticated exploitation is not indicated by the CVSS vector despite the 'Authentication Bypass' tag. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All signals converge on high real-world risk: CVSS 3.1 9.6 with AV:N/AC:L/PR:L/UI:N indicates trivially exploitable over the network by any user holding minimal credentials, S:C extends blast radius beyond the vulnerable component, and C:H/I:H mean full read and tamper of cluster data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A tenant in a shared Kubernetes cluster, or a compromised CI/CD service account with minimal credentials to the namespace running the NDB Operator, sends a crafted HTTP request to the operator's control endpoint and abuses the authorization flaw to read and rewrite NDB Cluster data outside its intended scope. Because the scope changes (S:C), the impact extends beyond the operator's own permissions to all data managed by the NDB Cluster it controls, including data belonging to other tenants or applications. …
Remediation Apply the fixed releases shipped in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) - upgrade past 8.0.46 on the 8.0 train, past 8.4.9 on the 8.4 train, and past 9.7.0 on the 9.x train (exact fixed build numbers should be taken directly from the Oracle advisory rather than inferred). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all MySQL NDB Cluster instances in production and non-production environments, documenting which are running affected versions (8.0.11-8.0.46, 8.4.0-8.4.9, 9.0.0-9.7.0). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37354 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy