Description
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
Published: 2026-04-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure
Action: Apply patch
AI Analysis

Impact

An information‑schema component flaw in Oracle MySQL Server allows an attacker with low privileges and network reach to read data that the server makes available. The weakness is an access control issue that lets a user bypass safeguards and retrieve non‑critical informational data, thus lowering confidentiality. The vulnerability is categorized under CWE-200 (Information Exposure) and CWE-201 (Improper Authorization).

Affected Systems

Oracle MySQL Server releases 8.0.0 through 8.0.45, 8.4.0 through 8.4.8, and 9.0.0 through 9.6.0 are affected. Any deployment using these versions on a network that permits MySQL protocol traffic is at risk.

Risk and Exploitability

The CVSS v3.1 base score of 4.3 indicates a moderate confidentiality impact. The EPSS score is reported as less than 1 %, implying that exploitation is unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via the network, through standard MySQL protocols, and an attacker only needs basic network access and a low‑privilege account to read sensitive data. No local privileges or user interaction are required, so the risk remains moderate for exposed installations.

Generated by OpenCVE AI on April 29, 2026 at 03:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor‑issued patches for MySQL Server as soon as they are released.
  • Restrict network access to the MySQL Server so that only trusted hosts or internal networks can reach the Information Schema endpoints.
  • Configure the MySQL server to disable or restrict Information Schema access for non‑privileged users if such configuration is available, limiting exposure.

Generated by OpenCVE AI on April 29, 2026 at 03:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-285

Thu, 23 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title mysql: Information Schema unspecified vulnerability (CPU Apr 2026)
Weaknesses CWE-201
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Title Information Disclosure via MySQL Information Schema – Low Privilege Attack
Weaknesses CWE-200
CWE-284
CWE-285

Wed, 22 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Title Low Privileged Information Disclosure via MySQL Server Information Schema Information Disclosure via MySQL Information Schema – Low Privilege Attack
Weaknesses CWE-284
CWE-285

Wed, 22 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Title Low Privileged Information Disclosure via MySQL Server Information Schema
Weaknesses CWE-284
CWE-285

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
First Time appeared Oracle
Oracle mysql Server
CPEs cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle mysql Server
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Oracle Mysql Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T13:35:16.426Z

Reserved: 2026-01-05T18:07:34.728Z

Link: CVE-2026-22015

cve-icon Vulnrichment

Updated: 2026-04-22T13:34:41.300Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:28.310

Modified: 2026-04-23T15:01:21.977

Link: CVE-2026-22015

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T00:00:00Z

Links: CVE-2026-22015 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T03:15:45Z

Weaknesses