CVE-2026-34318 - Vulnerability Details

- Unauthorized Access via Improper Access Control in Oracle MySQL Shell

Description

Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N).

Published: 2026-04-21

Score: 5.8 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Oracle MySQL Shell versions 8.0.0‑8.0.45, 8.4.0‑8.4.8, and 9.0.0‑9.6.0 contain a defect in the Shell Core Client that can be triggered by a high‑privileged attacker who already has network access. While the vulnerability is difficult to exploit, a successful attack enables the attacker to obtain unauthorized access to all data that the Shell can reach, effectively compromising confidentiality of any MySQL data exposed through these interfaces.

Affected Systems

The affected products are Oracle Corporation’s MySQL Shell. Vulnerable releases span the 8.0.x, 8.4.x, and 9.0.x series as specified above.

Risk and Exploitability

The CVSS v3.1 base score of 5.8 reflects a moderate confidentiality impact, and the vulnerability is not currently listed in the CISA KEV catalog. The lack of an EPSS score implies no publicly reported exploitation yet, but the possibility of a scope change means other related components could also be impacted if the Shell is used as a gateway. The attack requires high privileges on the host system and network connectivity to the Shell, so restricting external access and enforcing strong authentication can reduce the likelihood of exploitation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

MySQL Shell

affected

Version	Status	Constraints
`8.0.0`	affected	≤ 8.0.45
`8.4.0`	affected	≤ 8.4.8
`9.0.0`	affected	≤ 9.6.0

No data.

Vendor Product Confidence Versions

Oracle

Mysql Shell

95%

Version	Status	Scheme	Platform
`[8.0.0,8.0.45]`	affected	semver	—
`[8.4.0,8.4.8]`	affected	semver	—
`[9.0.0,9.6.0]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest MySQL Shell update that addresses the Shell Core Client flaw as detailed in the Oracle CPU‑APR‑2026 advisory.
Restrict network exposure of MySQL Shell by allowing connections only from trusted IP ranges or via secure tunnels, and ensure that only the necessary protocols are enabled.
Enforce the principle of least privilege on MySQL Shell user accounts, regularly reviewing and tightening permissions to prevent unauthorized data access.

Generated by OpenCVE AI on April 22, 2026 at 04:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cpuapr2026.html

History

Wed, 22 Apr 2026 05:15:00 +0000

Type	Values Removed	Values Added
Title		Unauthorized Access via Improper Access Control in Oracle MySQL Shell
Weaknesses		CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N).
First Time appeared		Oracle Oracle mysql Shell
CPEs		cpe:2.3:a:oracle:mysql_shell::::::::
Vendors & Products		Oracle Oracle mysql Shell
References		https://www.oracle.com/security-alerts/cpuapr2026.html
Metrics		cvssV3_1 `{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N'}`

Subscriptions

Oracle Mysql Shell

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-04-21T20:35:39.679Z

Updated: 2026-04-21T20:35:39.679Z

Reserved: 2026-03-26T19:48:45.681Z

Link: CVE-2026-34318

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-21T21:16:37.327

Modified: 2026-04-21T21:16:37.327

Link: CVE-2026-34318

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T05:00:09Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object