Skip to main content

MySQL Shell EUVDEUVD-2026-37363

| CVE-2026-46870 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
8.5
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.5 HIGH

Network-reachable shell component (AV:N), complex multi-protocol chain (AC:H), low-priv foothold required (PR:L), no user click needed (UI:N), pivots beyond Shell into VS Code (S:C) with full takeover (C/I/A:H).

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:35 vuln.today

DescriptionCVE.org

Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell for VS Code). The supported version that is affected is 2026.2.0+9.6.1. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Shell. CVSS 3.1 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Takeover of Oracle MySQL Shell is possible against the Shell for VS Code component in version 2026.2.0+9.6.1, where a low-privileged remote attacker can compromise the Shell with a scope-changing impact on additional products. The 8.5 CVSS score reflects full confidentiality, integrity, and availability impact, though high attack complexity tempers practical exploitability. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

MySQL Shell is Oracle's advanced client and administrative tool for MySQL, supporting JavaScript, Python, and SQL interfaces. The affected sub-component is the Shell for VS Code extension, which embeds MySQL Shell functionality inside Microsoft Visual Studio Code for developer workflows. The CPE cpe:2.3:a:oracle_corporation:mysql_shell identifies the product, and the CVSS scope-change (S:C) indicates the flaw in Shell can pivot into the VS Code host process or other extensions/products outside the original security authority. No CWE is provided in the source data, so the precise weakness class (e.g., deserialization, command injection, protocol parsing flaw) cannot be determined without Oracle's internal details.

RemediationAI

Apply the fixes from Oracle's June 2026 Critical Patch Update referenced at https://www.oracle.com/security-alerts/cspujun2026.html - Patch available per vendor advisory; no independently confirmed fixed build is published in the supplied data, so consult that advisory for the exact post-patch version. As compensating controls until patched, restrict the Shell for VS Code extension to connect only to trusted, internal MySQL endpoints (block outbound 3306/33060 to untrusted networks at the host firewall), avoid opening untrusted workspaces or connection profiles in VS Code on developer laptops, and consider temporarily uninstalling or disabling the MySQL Shell for VS Code extension on high-value workstations - the trade-off is loss of in-IDE database tooling for developers until the patch is rolled out.

Share

EUVD-2026-37363 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy