Description
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Shell executes to compromise MySQL Shell. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Shell. CVSS 3.1 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H).
Published: 2026-04-21
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service from local crash
Action: Monitor
AI Analysis

Impact

An attacker who can log on to the host where MySQL Shell runs can trigger a crash or hang in the Shell component, resulting in a complete denial of service. The flaw is a local, low‑privilege vulnerability that does not grant elevated privileges or data disclosure but can bring the Shell process to an unresponsive state. The CVSS base score of 5.0 reflects an impact on availability only, with an attack vector of local access and required user interaction.

Affected Systems

The vulnerability is present in Oracle MySQL Shell for all supported releases from 8.0.0 to 8.0.45, 8.4.0 to 8.4.8, and 9.0.0 to 9.6.0. All installations of the Shell running under these versions are potentially affected.

Risk and Exploitability

Because the flaw requires an attacker to run commands locally within MySQL Shell and an additional human to trigger the crash, the likelihood of successful exploitation is limited to environments where an attacker can obtain logon access. The EPSS score of <1% indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. The moderate CVSS score suggests some risk to local availability, but the attack requires user interaction beyond the initial attacker, reducing overall exploitation probability.

Generated by OpenCVE AI on April 28, 2026 at 16:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MySQL Shell update that removes the crash condition
  • If an immediate update is not possible, limit Shell usage to trusted accounts or disable its service in production environments
  • Monitor system logs for repeated crash events and enforce alerts on unresponsive Shell processes

Generated by OpenCVE AI on April 28, 2026 at 16:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8363-1 MySQL vulnerabilities
Ubuntu USN Ubuntu USN USN-8363-2 MySQL vulnerabilities
History

Tue, 05 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Oracle mysql
CPEs cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
Vendors & Products Oracle mysql

Tue, 28 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Title Local Crash Vulnerability in Oracle MySQL Shell Allowing Denial of Service

Tue, 28 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Title MySQL Shell Crash Vulnerability Allowing Local Denial of Service
Weaknesses CWE-400

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-204

Wed, 22 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Title MySQL Shell Crash Vulnerability Allowing Local Denial of Service
Weaknesses CWE-400

Wed, 22 Apr 2026 06:45:00 +0000

Type Values Removed Values Added
Title Local Denial‑of‑Service via Crash in Oracle MySQL Shell
Weaknesses CWE-734

Wed, 22 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Title Local Denial‑of‑Service via Crash in Oracle MySQL Shell
Weaknesses CWE-734

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Shell executes to compromise MySQL Shell. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Shell. CVSS 3.1 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H).
First Time appeared Oracle
Oracle mysql Shell
CPEs cpe:2.3:a:oracle:mysql_shell:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle mysql Shell
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Oracle Mysql Mysql Shell
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T13:38:20.250Z

Reserved: 2026-03-26T19:48:45.681Z

Link: CVE-2026-34319

cve-icon Vulnrichment

Updated: 2026-04-22T13:37:34.553Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:37.487

Modified: 2026-05-05T16:33:22.753

Link: CVE-2026-34319

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:15:20Z

Weaknesses