Description
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).
Published: 2026-04-21
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Read of Sensitive Data
Action: Update
AI Analysis

Impact

The vulnerability lies in the Information Schema component of Oracle MySQL Server. An attacker with high privileges and network access can read a subset of server data, leading to confidentiality compromise. The flaw is classified as an Information Exposure weakness (CWE‑200) and presents inadequate error handling (CWE‑538). The CVE description highlights that a high‑privileged user can exploit the flaw to obtain unauthorized data.

Affected Systems

Oracle MySQL Server versions 8.0.0 through 8.0.45, 8.4.0 through 8.4.8, and 9.0.0 through 9.6.0 are affected. These releases allow attackers to examine sensitive information through the Information Schema.

Risk and Exploitability

The CVSS base score of 2.7 indicates a low severity. The event is network‑based and requires a high privileged attacker with access via multiple protocol interfaces. The EPSS score is reported as <1%, indicating a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, so the likelihood of exploitation remains uncertain; however the issue is described as easily exploitable, meaning that an attacker who can reach the server may use it to read protected data.

Generated by OpenCVE AI on April 28, 2026 at 16:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle MySQL Server patch or upgrade to a release that is newer than 8.0.45, 8.4.8, or 9.6.0.
  • If patching cannot be performed immediately, restrict network access to the Information Schema component or remove exposure to the component through firewall rules, and enforce strict role‑based access control to limit privileges.
  • Verify that any custom stored procedures or user‑defined functions that reference the Information Schema perform proper authorization checks and consider disabling unnecessary user privileges to reduce the attack surface.

Generated by OpenCVE AI on April 28, 2026 at 16:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-862

Thu, 23 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Information Schema Improper Authorization in Oracle MySQL Server mysql: Information Schema unspecified vulnerability (CPU Apr 2026)
Weaknesses CWE-538
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Information Schema Improper Authorization in Oracle MySQL Server
Weaknesses CWE-284
CWE-862

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).
First Time appeared Oracle
Oracle mysql Server
CPEs cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle mysql Server
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Oracle Mysql Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T14:07:52.179Z

Reserved: 2026-01-05T18:07:34.724Z

Link: CVE-2026-22001

cve-icon Vulnrichment

Updated: 2026-04-22T14:07:47.393Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:25.253

Modified: 2026-04-23T15:04:19.770

Link: CVE-2026-22001

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-21T00:00:00Z

Links: CVE-2026-22001 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:15:20Z

Weaknesses