Mysql Router
Monthly
Denial of service in Oracle MySQL Router 8.4.0-8.4.9 and 9.0.0-9.7.0 allows unauthenticated remote attackers to hang or repeatedly crash the routing service over TLS-enabled network connections, producing a complete DOS of the affected component. CVSS 3.1 scores this 7.5 with availability-only impact, and no public exploit identified at time of analysis. Because MySQL Router brokers application traffic to InnoDB Cluster/ReplicaSet backends, an outage cascades into downstream application unavailability even when the database servers themselves remain healthy.
Remote takeover of Oracle MySQL Router 9.0.0 through 9.7.0 is possible by unauthenticated attackers reaching the Router over HTTP, per Oracle's Critical Patch Update advisory (CPU June 2026). Oracle scores this 9.8 CVSS 3.1 with full confidentiality, integrity, and availability impact, and rates exploitation as easy. No public exploit identified at time of analysis and the CVE is not present in CISA KEV, but the network-reachable, no-auth, low-complexity profile makes it a high-priority patch.
Denial of service in Oracle MySQL Router 8.4.0-8.4.9 and 9.0.0-9.7.0 allows unauthenticated remote attackers to hang or repeatedly crash the routing service over TLS-enabled network connections, producing a complete DOS of the affected component. CVSS 3.1 scores this 7.5 with availability-only impact, and no public exploit identified at time of analysis. Because MySQL Router brokers application traffic to InnoDB Cluster/ReplicaSet backends, an outage cascades into downstream application unavailability even when the database servers themselves remain healthy.
Remote takeover of Oracle MySQL Router 9.0.0 through 9.7.0 is possible by unauthenticated attackers reaching the Router over HTTP, per Oracle's Critical Patch Update advisory (CPU June 2026). Oracle scores this 9.8 CVSS 3.1 with full confidentiality, integrity, and availability impact, and rates exploitation as easy. No public exploit identified at time of analysis and the CVE is not present in CISA KEV, but the network-reachable, no-auth, low-complexity profile makes it a high-priority patch.