Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable shell component (AV:N), complex multi-protocol chain (AC:H), low-priv foothold required (PR:L), no user click needed (UI:N), pivots beyond Shell into VS Code (S:C) with full takeover (C/I/A:H).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell for VS Code). The supported version that is affected is 2026.2.0+9.6.1. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Shell. CVSS 3.1 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Takeover of Oracle MySQL Shell is possible against the Shell for VS Code component in version 2026.2.0+9.6.1, where a low-privileged remote attacker can compromise the Shell with a scope-changing impact on additional products. The 8.5 CVSS score reflects full confidentiality, integrity, and availability impact, though high attack complexity tempers practical exploitability. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
MySQL Shell is Oracle's advanced client and administrative tool for MySQL, supporting JavaScript, Python, and SQL interfaces. The affected sub-component is the Shell for VS Code extension, which embeds MySQL Shell functionality inside Microsoft Visual Studio Code for developer workflows. The CPE cpe:2.3:a:oracle_corporation:mysql_shell identifies the product, and the CVSS scope-change (S:C) indicates the flaw in Shell can pivot into the VS Code host process or other extensions/products outside the original security authority. No CWE is provided in the source data, so the precise weakness class (e.g., deserialization, command injection, protocol parsing flaw) cannot be determined without Oracle's internal details.
RemediationAI
Apply the fixes from Oracle's June 2026 Critical Patch Update referenced at https://www.oracle.com/security-alerts/cspujun2026.html - Patch available per vendor advisory; no independently confirmed fixed build is published in the supplied data, so consult that advisory for the exact post-patch version. As compensating controls until patched, restrict the Shell for VS Code extension to connect only to trusted, internal MySQL endpoints (block outbound 3306/33060 to untrusted networks at the host firewall), avoid opening untrusted workspaces or connection profiles in VS Code on developer laptops, and consider temporarily uninstalling or disabling the MySQL Shell for VS Code extension on high-value workstations - the trade-off is loss of in-IDE database tooling for developers until the patch is rolled out.
More in Mysql Shell
View allPrivilege escalation and full takeover of Oracle MySQL Shell's VS Code extension affects version 2026.2.0+9.6.1, allowin
Unauthorized data disclosure in Oracle MySQL Shell's VS Code extension component (version 2026.2.0+9.6.1) allows a low-p
Unauthorized access to critical data is achievable in Oracle MySQL Shell's Dump and Load component, affecting versions 8
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: General/Core Client). Rated low severity (CV
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37363