Description
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell for VS Code). The supported version that is affected is 2026.2.0+9.6.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Shell. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability in Oracle MySQL Shell allows an attacker who only has low privileges and network access via HTTP to fully compromise the shell, resulting in loss of confidentiality, integrity, and availability for the affected instance. The flaw effectively permits attackers to gain control over MySQL Shell and could potentially extend their influence to other components, as the vulnerability’s scope is marked changeable.

Affected Systems

Products affected include Oracle Corporation’s MySQL Shell, specifically version 2026.2.0+9.6.1. The issue resides in the Shell for VS Code component and is reachable over HTTP from an external network. No other products are listed as directly impacted, but the scope change implies additional systems could be affected if the shell is integrated elsewhere.

Risk and Exploitability

The vulnerability carries a CVSS 3.1 base score of 9.9, indicating critical severity, and an EPSS score of less than 1 %, suggesting a very low but non-zero probability of exploitation in the broader threat landscape. The lack of a KEV listing does not diminish the urgency; the attack requires only network access to HTTP and does not mandate elevated privileges. The likely attack vector is a network-based request over HTTP that exploits improper access control within the shell, granting the attacker full takeover capability.

Generated by OpenCVE AI on June 17, 2026 at 20:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle patch for MySQL Shell that addresses CVE‑2026‑46850
  • Upgrade MySQL Shell to a non‑affected version or to the latest release documented by Oracle after the patch
  • Restrict HTTP access to the MySQL Shell by employing firewall rules, network segmentation, and secure authentication mechanisms

Generated by OpenCVE AI on June 17, 2026 at 20:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell for VS Code). The supported version that is affected is 2026.2.0+9.6.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Shell. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle mysql Shell
CPEs cpe:2.3:a:oracle:mysql_shell:2026.2.0\+9.6.1:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle mysql Shell
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Oracle Mysql Shell
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T14:13:07.693Z

Reserved: 2026-05-18T15:55:10.306Z

Link: CVE-2026-46850

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T23:15:16Z

Weaknesses

No weakness.