Description
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell for VS Code). The supported version that is affected is 2026.2.0+9.6.1. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Shell. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
Published: 2026-06-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Shell for VS Code component of Oracle MySQL Shell version 2026.2.0+9.6.1. It permits low‑privileged attackers who can reach the service over the network to gain unauthorized access to data that the shell can reach. Successful exploitation could expose critical database records or provide full read access to all data accessible through the shell. The weakness is an improper access control flaw, classified as CWE‑284.

Affected Systems

Oracle MySQL Shell 2026.2.0+9.6.1 is affected, with the Shell for VS Code feature. Versions newer than this are not listed as vulnerable in the advisory.

Risk and Exploitability

The CVSS v3.1 base score is 6.5, indicating medium severity and high confidentiality impact. The EPSS score is below 1%, suggesting a low likelihood of current exploitation. The vulnerability is not yet listed in the CISA KEV catalog. The attack vector is inferred to be network‑based, requiring low‑privilege credentials to interact with the shell over its supported protocols. If exploited, attackers can read sensitive data without impacting integrity or availability.

Generated by OpenCVE AI on June 17, 2026 at 18:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MySQL Shell to a version that is not affected by CVE-2026-46871, typically 2026.3.0 or later.
  • If an immediate update is not possible, restrict network access to the MySQL Shell service and enforce least‑privilege authentication to limit attacker reach.
  • Monitor shell logs for abnormal or unauthorized read operations and investigate any suspicious sessions promptly.

Generated by OpenCVE AI on June 17, 2026 at 18:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell for VS Code). The supported version that is affected is 2026.2.0+9.6.1. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Shell. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
First Time appeared Oracle
Oracle mysql Shell
CPEs cpe:2.3:a:oracle:mysql_shell:2026.2.0\+9.6.1:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle mysql Shell
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Oracle Mysql Shell
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:10:25.714Z

Reserved: 2026-05-18T15:55:10.308Z

Link: CVE-2026-46871

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T01:00:15Z

Weaknesses

No weakness.