Description
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell for VS Code). The supported version that is affected is 2026.2.0+9.6.1. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Shell. CVSS 3.1 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability resides in the Shell for VS Code component of Oracle MySQL Shell version 2026.2.0+9.6.1. It permits a low‑privileged attacker who can reach the system over the network to compromise the shell, leading to full takeover of the MySQL Shell instance. The exploit is described as difficult, but when successful it grants an attacker complete control, impacting confidentiality, integrity, and availability. Because the Shell is part of the broader MySQL ecosystem, a compromise could also affect other Oracle products, representing a scope change.

Affected Systems

Affected product is Oracle MySQL Shell, specifically the Shell for VS Code component in version 2026.2.0+9.6.1. No additional vendor or product versions are listed.

Risk and Exploitability

The CVSS v3.1 base score is 8.5, indicating high severity, and the EPSS score is below 1%, suggesting a low but non‑zero likelihood of exploitation. The vulnerability is not included in CISA KEV. The attack vector is network‑based using multiple protocols; a low‑privileged attacker can gain access and achieve full control of the shell. The high confidentiality, integrity, and availability impact underscore the critical nature of the vulnerability.

Generated by OpenCVE AI on June 17, 2026 at 20:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oracle MySQL Shell to a version that includes the vendor‑issued fix for the 2026.2.0+9.6.1 release.
  • Restrict network access to the MySQL Shell service by applying firewall rules that allow only trusted hosts and limit exposure to unnecessary protocols.
  • Disable or remove the Shell for VS Code component until a secure patch is applied, if it is not required for operations.
  • Continuously monitor MySQL Shell logs for anomalous activity and alert on suspicious authentication or command execution attempts.

Generated by OpenCVE AI on June 17, 2026 at 20:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell for VS Code). The supported version that is affected is 2026.2.0+9.6.1. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Shell. CVSS 3.1 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle mysql Shell
CPEs cpe:2.3:a:oracle:mysql_shell:2026.2.0\+9.6.1:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle mysql Shell
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Oracle Mysql Shell
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:09:32.601Z

Reserved: 2026-05-18T15:55:10.308Z

Link: CVE-2026-46870

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T23:00:05Z

Weaknesses

No weakness.