This vulnerability (CVE-2026-22015) affects Oracle MySQL Server's Information Schema component in versions 8.0.0-8.0.45, 8.4.0-8.4.8, and 9.0.0-9.6.0. It allows an attacker with low privileges and network access via multiple protocols to read unauthorized subsets of data accessible by MySQL Server. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and confidentiality impact only. Oracle's April 2026 Critical Patch Update includes patches addressing this vulnerability among 481 others. The vendor strongly recommends applying these patches promptly to mitigate the risk. No public exploit code or active exploitation has been reported.

Successful exploitation of this vulnerability can lead to unauthorized read access to a subset of data accessible by MySQL Server. There is no impact on data integrity or availability. The confidentiality impact is limited, and the overall severity is rated medium with a CVSS 3.1 base score of 4.3. No known exploits in the wild have been reported, reducing immediate risk but patching is advised to prevent potential compromise.

Oracle has released patches for this vulnerability as part of the April 2026 Critical Patch Update. Customers should apply the April 2026 CPU security patches for MySQL Server versions 8.0.0-8.0.45, 8.4.0-8.4.8, and 9.0.0-9.6.0 without delay. Oracle strongly recommends staying on actively supported versions and promptly applying all Critical Patch Updates to mitigate this and other vulnerabilities. Patch status is confirmed as available in the vendor advisory: https://www.oracle.com/security-alerts/cpuapr2026.html.