Description
Vulnerability in the MySQL Router product of Oracle MySQL (component: Router: General). Supported versions that are affected are 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise MySQL Router. Successful attacks of this vulnerability can result in takeover of MySQL Router. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the HTTP interface of Oracle MySQL Router allows an unauthenticated attacker with network access to compromise the router. Successful exploitation can lead to full takeover of the routing service, affecting confidentiality, integrity, and availability of the router itself and potentially the database connections it forwards.

Affected Systems

Oracle MySQL Router versions 9.0.0 through 9.7.0 are affected. The vulnerability applies to the general Router component and is present in all builds within that range.

Risk and Exploitability

The CVSS 3.1 base score of 9.8 indicates critical severity. The EPSS score is below 1%, implying that exploitation is currently uncommon, but the zero‑authentication requirement and direct HTTP access mean an attacker can exploit it with only network reach to the router’s HTTP port. The vulnerability is not listed in CISA KEV, but its high impact warrants rapid action.

Generated by OpenCVE AI on June 19, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available Oracle patch for MySQL Router as identified in the security advisory.
  • If a patch cannot be applied immediately, disable or restrict the HTTP management interface on the router to prevent unauthenticated access.
  • Use firewall rules or network segmentation to block external traffic to the router’s HTTP port when the interface is not required for your environment.

Generated by OpenCVE AI on June 19, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access Allows Full Compromise of Oracle MySQL Router

Thu, 18 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution via HTTP in MySQL Router
Weaknesses CWE-287
CWE-77

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution via HTTP in MySQL Router
Weaknesses CWE-287
CWE-77
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the MySQL Router product of Oracle MySQL (component: Router: General). Supported versions that are affected are 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise MySQL Router. Successful attacks of this vulnerability can result in takeover of MySQL Router. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle mysql Router
CPEs cpe:2.3:a:oracle:mysql_router:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle mysql Router
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Mysql Router
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T14:21:12.739Z

Reserved: 2026-05-18T15:55:10.307Z

Link: CVE-2026-46860

cve-icon Vulnrichment

Updated: 2026-06-17T14:45:59.579Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:45:05Z

Weaknesses