CVE-2026-46863 - Vulnerability Details

Description

Vulnerability in the MySQL Server, MySQL Cluster product of Oracle MySQL (component: Server: Connection Handling). Supported versions that are affected are MySQL Server: 8.4.0-8.4.9, 9.0.0-9.7.0; MySQL Cluster: 8.0.11-8.0.46, 8.4.0-8.4.9 and 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server, MySQL Cluster. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server, MySQL Cluster. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Published: 2026-06-16

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw exists in the Connection Handling component of Oracle MySQL Server and MySQL Cluster. An unauthenticated attacker who can reach the database instance over the network can force the server or cluster to crash repeatedly, causing a complete denial of service. The vulnerability does not affect confidentiality or integrity, but it fully disrupts availability for all users and applications that rely on the affected database instance.

Affected Systems

Oracle Corporation MySQL Server versions 8.4.0 through 8.4.9 and 9.0.0 through 9.7.0, and MySQL Cluster versions 8.0.11 through 8.0.46, 8.4.0 through 8.4.9, and 9.0.0 through 9.7.0 are affected. All other product versions are not impacted.

Risk and Exploitability

The CVSS v3.1 base score of 7.5 classifies the weakness as high severity, and the EPSS score of less than 1% suggests a low yet non‑zero likelihood of exploitation at the moment. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating no publicly documented exploitation campaigns yet. However, because the flaw requires no authentication and can be reached from any network, any exposed MySQL instance is a potential target. Successful exploitation triggers an immediate crash, severely impacting application availability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

MySQL Server

affected

Version	Status	Constraints
`8.4.0-8.4.9`	affected	—
`9.0.0-9.7.0`	affected	—

Oracle Corporation

MySQL Cluster

affected

Version	Status	Constraints
`8.0.11-8.0.46`	affected	—
`8.4.0-8.4.9`	affected	—
`9.0.0-9.7.0`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Mysql Cluster

95%

Version	Status	Scheme	Platform
`[8.0.11,8.0.46]`	affected	semver	—
`[8.4.0,8.4.9]`	affected	semver	—
`[9.0.0,9.7.0]`	affected	semver	—

Oracle

Mysql Server

95%

Version	Status	Scheme	Platform
`[8.4.0,8.4.9]`	affected	semver	—
`[9.0.0,9.7.0]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update MySQL Server to a version later than 8.4.9 or 9.7.0 that contains the fix
Update MySQL Cluster to a version later than 8.0.46 or 9.7.0 that contains the fix
Restrict network access to MySQL ports by applying firewall or security group rules so that only trusted hosts can reach the database instance

Generated by OpenCVE AI on June 17, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0046.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the MySQL Server, MySQL Cluster product of Oracle MySQL (component: Server: Connection Handling). Supported versions that are affected are MySQL Server: 8.4.0-8.4.9, 9.0.0-9.7.0; MySQL Cluster: 8.0.11-8.0.46, 8.4.0-8.4.9 and 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server, MySQL Cluster. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server, MySQL Cluster. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
First Time appeared		Oracle Oracle mysql Cluster Oracle mysql Server
CPEs		cpe:2.3:a:oracle:mysql_cluster:::::::: cpe:2.3:a:oracle:mysql_server::::::::
Vendors & Products		Oracle Oracle mysql Cluster Oracle mysql Server
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Oracle Mysql Cluster Mysql Server

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:27:35.870Z

Updated: 2026-06-17T14:52:56.766Z

Reserved: 2026-05-18T15:55:10.307Z

Link: CVE-2026-46863

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-16T23:00:05Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object