Description
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N).
Published: 2026-04-21
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality compromise via unauthorized data access
Action: Patch promptly
AI Analysis

Impact

A flaw in the MySQL Shell Core Client can be triggered by an attacker who, based on the description, appears to require high privileges on the host and can reach the Shell over the network. Although difficult to exploit, the vulnerability permits the attacker to obtain unauthorized access to any data that the Shell can reach, effectively compromising confidentiality of all MySQL data exposed through these interfaces. The description also notes that the vulnerability may affect additional products because the scope can change when the Shell is used as a gateway.

Affected Systems

Oracle Corporation’s MySQL Shell is the affected product. Vulnerable releases include 8.0.0‑8.0.45, 8.4.0‑8.4.8 and 9.0.0‑9.6.0.

Risk and Exploitability

The CVSS v3.1 base score of 5.8 reflects a moderate confidentiality impact. The EPSS score of less than 1% indicates an estimated probability of exploitation that is very low, and the vulnerability is not currently listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation may require high host privileges and network connectivity to the Shell, so restricting external access and enforcing strong authentication can reduce the likelihood of a successful attack. The noted scope change means that if the Shell serves as a gateway, other components may also be impacted.

Generated by OpenCVE AI on April 28, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MySQL Shell update that addresses the Shell Core Client flaw as outlined in the Oracle CPU‑APR‑2026 advisory.
  • Restrict external exposure of MySQL Shell by allowing connections only from trusted IP ranges or through secure tunnels, and enable only the necessary protocols.
  • Enforce the principle of least privilege on MySQL Shell user accounts, regularly reviewing and tightening permissions to prevent unauthorized data access.
  • Configure MySQL Shell to limit exposure of sensitive data, following best practices to mitigate information exposure associated with improper access control.

Generated by OpenCVE AI on April 28, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8363-1 MySQL vulnerabilities
Ubuntu USN Ubuntu USN USN-8363-2 MySQL vulnerabilities
History

Tue, 05 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Oracle mysql
CPEs cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
Vendors & Products Oracle mysql

Tue, 28 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Title MySQL Shell Core Client Allows Unauthorized Data Access via Network

Tue, 28 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Title Unauthorized Access via Improper Access Control in Oracle MySQL Shell
Weaknesses CWE-284

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Access via Improper Access Control in Oracle MySQL Shell
Weaknesses CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N).
First Time appeared Oracle
Oracle mysql Shell
CPEs cpe:2.3:a:oracle:mysql_shell:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle mysql Shell
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Oracle Mysql Mysql Shell
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T13:13:20.696Z

Reserved: 2026-03-26T19:48:45.681Z

Link: CVE-2026-34318

cve-icon Vulnrichment

Updated: 2026-04-22T13:13:15.321Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:37.327

Modified: 2026-05-05T16:33:29.433

Link: CVE-2026-34318

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:30:26Z

Weaknesses