Skip to main content

MySQL Shell EUVDEUVD-2026-37364

| CVE-2026-46871 MEDIUM
Improper Access Control (CWE-284)
2026-06-16 oracle
6.5
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network vector and low privilege confirmed by Oracle; C:H reflects complete MySQL Shell data read access; no integrity or availability impact is described or inferred.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 00:23 vuln.today

DescriptionCVE.org

Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell for VS Code). The supported version that is affected is 2026.2.0+9.6.1. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Shell. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

AnalysisAI

Unauthorized data disclosure in Oracle MySQL Shell's VS Code extension component (version 2026.2.0+9.6.1) allows a low-privileged network attacker to gain complete read access to all data accessible through MySQL Shell. The vulnerability, tagged as Authentication Bypass by ENISA intelligence (EUVD-2026-37364), exploits insufficient authorization controls within the Shell for VS Code component, granting data-tier access without requiring user interaction or elevated privileges beyond an initial low-level credential. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Technical ContextAI

MySQL Shell (CPE: cpe:2.3:a:oracle_corporation:mysql_shell:*:*:*:*:*:*:*:*) is Oracle's advanced command-line client and IDE integration layer for MySQL, providing scripting interfaces in JavaScript, Python, and SQL. The Shell for VS Code component extends this functionality into the Visual Studio Code IDE environment, presumably by exposing a network-facing service or extension API that communicates over multiple protocols - consistent with Oracle's disclosure that the vulnerability is reachable 'via multiple protocols.' The specific affected version is 2026.2.0+9.6.1. Although the CWE field is listed as N/A in official Oracle disclosure data, ENISA intelligence tags this as 'Authentication Bypass,' pointing to a probable CWE-285 (Improper Authorization) or CWE-287 (Improper Authentication) root cause class - where the extension fails to adequately verify that a low-privileged caller is restricted from accessing higher-sensitivity data tiers. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms the attack surface is fully network-accessible with no user interaction required, indicating the VS Code component binds an exploitable network interface.

RemediationAI

Apply the patch released by Oracle as part of the June 2026 Critical Patch Update, referenced at https://www.oracle.com/security-alerts/cspujun2026.html. The exact patched release version is not independently confirmed from the available intelligence data - consult the Oracle CPU advisory directly to identify the specific fix version and apply it per Oracle's installation guidance. As a compensating control pending patch deployment, restrict network access to the MySQL Shell VS Code extension's listening interface using host-based firewall rules, limiting reachability to trusted developer hosts only; this directly addresses the AV:N attack vector without disabling functionality. In environments where the VS Code extension is not operationally required, uninstalling or disabling it entirely eliminates the attack surface with no functional trade-off. Network segmentation between developer workstations and database-tier networks further reduces the probability of a low-privileged attacker reaching the vulnerable interface.

Share

EUVD-2026-37364 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy