Skip to main content

MySQL Shell EUVDEUVD-2026-37362

| CVE-2026-46869 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-16 oracle
6.5
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable via multiple protocols with no attacker privileges; user must trigger dump/load; only confidentiality is impacted, matching vendor-provided vector exactly.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 00:23 vuln.today

DescriptionCVE.org

Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Dump and Load). Supported versions that are affected are 8.4.0-8.4.9 and 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Shell. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

AnalysisAI

Unauthorized access to critical data is achievable in Oracle MySQL Shell's Dump and Load component, affecting versions 8.4.0-8.4.9 and 9.0.0-9.7.0. An unauthenticated network attacker can exploit this across multiple protocols, but requires a victim user to interact - likely by connecting to or loading a dump from a malicious source. The attack yields complete read access to all MySQL Shell-accessible data with no integrity or availability side effects. No public exploit has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.

Technical ContextAI

MySQL Shell is Oracle's advanced command-line client for MySQL, supporting scripting in JavaScript and Python. The affected component, 'Dump and Load', provides utilities (util.dumpInstance, util.loadDump, util.dumpSchemas, etc.) for migrating and restoring database content across servers. The vulnerability is tagged as an Authentication Bypass in the EUVD record, and the CVSS vector specifies PR:N (no attacker privileges required) with UI:R (victim interaction needed), suggesting the flaw lies in how the Dump and Load facility validates or authenticates data sources - potentially allowing an attacker-controlled server or dump artifact to be treated as trusted. The CPE string (cpe:2.3:a:oracle_corporation:mysql_shell:*:*:*:*:*:*:*:*) spans a wide version range across both the 8.4.x LTS and 9.x innovation tracks. No CWE has been formally assigned, but the Authentication Bypass tag aligns with CWE-287 (Improper Authentication) or CWE-346 (Origin Validation Error).

RemediationAI

Apply the patch released as part of Oracle's Critical Security Patch Update (CPU) for June 2026, available via the Oracle advisory at https://www.oracle.com/security-alerts/cspujun2026.html. The advisory references fixes for both the 8.4.x and 9.x tracks; consult the CPU matrix for the exact patched versions, as specific fix version numbers are not enumerated in the available data. Until patching is possible, restrict use of MySQL Shell's Dump and Load utilities to connections targeting only explicitly trusted, internally controlled MySQL servers or object storage endpoints - avoid loading dumps from external or unverified sources. If automated dump/load pipelines connect to remote or cloud-hosted storage, ensure endpoint URLs are validated and access-controlled to prevent redirection to attacker-controlled infrastructure. Note that disabling the Dump and Load feature entirely removes valuable migration capability; weigh this against exposure.

Share

EUVD-2026-37362 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy