Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network vector and low privilege confirmed by Oracle; C:H reflects complete MySQL Shell data read access; no integrity or availability impact is described or inferred.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell for VS Code). The supported version that is affected is 2026.2.0+9.6.1. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Shell. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
AnalysisAI
Unauthorized data disclosure in Oracle MySQL Shell's VS Code extension component (version 2026.2.0+9.6.1) allows a low-privileged network attacker to gain complete read access to all data accessible through MySQL Shell. The vulnerability, tagged as Authentication Bypass by ENISA intelligence (EUVD-2026-37364), exploits insufficient authorization controls within the Shell for VS Code component, granting data-tier access without requiring user interaction or elevated privileges beyond an initial low-level credential. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Technical ContextAI
MySQL Shell (CPE: cpe:2.3:a:oracle_corporation:mysql_shell:*:*:*:*:*:*:*:*) is Oracle's advanced command-line client and IDE integration layer for MySQL, providing scripting interfaces in JavaScript, Python, and SQL. The Shell for VS Code component extends this functionality into the Visual Studio Code IDE environment, presumably by exposing a network-facing service or extension API that communicates over multiple protocols - consistent with Oracle's disclosure that the vulnerability is reachable 'via multiple protocols.' The specific affected version is 2026.2.0+9.6.1. Although the CWE field is listed as N/A in official Oracle disclosure data, ENISA intelligence tags this as 'Authentication Bypass,' pointing to a probable CWE-285 (Improper Authorization) or CWE-287 (Improper Authentication) root cause class - where the extension fails to adequately verify that a low-privileged caller is restricted from accessing higher-sensitivity data tiers. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms the attack surface is fully network-accessible with no user interaction required, indicating the VS Code component binds an exploitable network interface.
RemediationAI
Apply the patch released by Oracle as part of the June 2026 Critical Patch Update, referenced at https://www.oracle.com/security-alerts/cspujun2026.html. The exact patched release version is not independently confirmed from the available intelligence data - consult the Oracle CPU advisory directly to identify the specific fix version and apply it per Oracle's installation guidance. As a compensating control pending patch deployment, restrict network access to the MySQL Shell VS Code extension's listening interface using host-based firewall rules, limiting reachability to trusted developer hosts only; this directly addresses the AV:N attack vector without disabling functionality. In environments where the VS Code extension is not operationally required, uninstalling or disabling it entirely eliminates the attack surface with no functional trade-off. Network segmentation between developer workstations and database-tier networks further reduces the probability of a low-privileged attacker reaching the vulnerable interface.
More in Mysql Shell
View allPrivilege escalation and full takeover of Oracle MySQL Shell's VS Code extension affects version 2026.2.0+9.6.1, allowin
Takeover of Oracle MySQL Shell is possible against the Shell for VS Code component in version 2026.2.0+9.6.1, where a lo
Unauthorized access to critical data is achievable in Oracle MySQL Shell's Dump and Load component, affecting versions 8
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: General/Core Client). Rated low severity (CV
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37364