Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Network-reachable via multiple protocols with no attacker privileges; user must trigger dump/load; only confidentiality is impacted, matching vendor-provided vector exactly.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Dump and Load). Supported versions that are affected are 8.4.0-8.4.9 and 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Shell. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).
AnalysisAI
Unauthorized access to critical data is achievable in Oracle MySQL Shell's Dump and Load component, affecting versions 8.4.0-8.4.9 and 9.0.0-9.7.0. An unauthenticated network attacker can exploit this across multiple protocols, but requires a victim user to interact - likely by connecting to or loading a dump from a malicious source. The attack yields complete read access to all MySQL Shell-accessible data with no integrity or availability side effects. No public exploit has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.
Technical ContextAI
MySQL Shell is Oracle's advanced command-line client for MySQL, supporting scripting in JavaScript and Python. The affected component, 'Dump and Load', provides utilities (util.dumpInstance, util.loadDump, util.dumpSchemas, etc.) for migrating and restoring database content across servers. The vulnerability is tagged as an Authentication Bypass in the EUVD record, and the CVSS vector specifies PR:N (no attacker privileges required) with UI:R (victim interaction needed), suggesting the flaw lies in how the Dump and Load facility validates or authenticates data sources - potentially allowing an attacker-controlled server or dump artifact to be treated as trusted. The CPE string (cpe:2.3:a:oracle_corporation:mysql_shell:*:*:*:*:*:*:*:*) spans a wide version range across both the 8.4.x LTS and 9.x innovation tracks. No CWE has been formally assigned, but the Authentication Bypass tag aligns with CWE-287 (Improper Authentication) or CWE-346 (Origin Validation Error).
RemediationAI
Apply the patch released as part of Oracle's Critical Security Patch Update (CPU) for June 2026, available via the Oracle advisory at https://www.oracle.com/security-alerts/cspujun2026.html. The advisory references fixes for both the 8.4.x and 9.x tracks; consult the CPU matrix for the exact patched versions, as specific fix version numbers are not enumerated in the available data. Until patching is possible, restrict use of MySQL Shell's Dump and Load utilities to connections targeting only explicitly trusted, internally controlled MySQL servers or object storage endpoints - avoid loading dumps from external or unverified sources. If automated dump/load pipelines connect to remote or cloud-hosted storage, ensure endpoint URLs are validated and access-controlled to prevent redirection to attacker-controlled infrastructure. Note that disabling the Dump and Load feature entirely removes valuable migration capability; weigh this against exposure.
More in Mysql Shell
View allPrivilege escalation and full takeover of Oracle MySQL Shell's VS Code extension affects version 2026.2.0+9.6.1, allowin
Takeover of Oracle MySQL Shell is possible against the Shell for VS Code component in version 2026.2.0+9.6.1, where a lo
Unauthorized data disclosure in Oracle MySQL Shell's VS Code extension component (version 2026.2.0+9.6.1) allows a low-p
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: General/Core Client). Rated low severity (CV
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37362