This vulnerability (CVE-2026-34317) in Oracle MySQL Shell (component: Shell: Core Client) allows a low privileged attacker with infrastructure logon to cause a hang or repeated crash of MySQL Shell, resulting in a denial of service. Exploitation requires user interaction from a third party. Affected versions include 8.0.0-8.0.45, 8.4.0-8.4.8, and 9.0.0-9.6.0. The CVSS 3.1 base score is 5.0, reflecting a medium severity with an impact on availability only (CVSS vector: AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H). Oracle’s April 2026 Critical Patch Update advisory references patches for MySQL Shell among many other products, but does not explicitly confirm the availability of a patch for this specific vulnerability in the provided content.

Successful exploitation can cause MySQL Shell to hang or crash repeatedly, resulting in a complete denial of service. There is no impact on confidentiality or integrity. The attack requires low privileges and user interaction from a third party, limiting the attack vector to environments where the attacker has some access and can induce another user to interact. No known active exploitation has been reported.

Oracle’s April 2026 Critical Patch Update advisory includes security patches for MySQL Shell and related products. Customers are strongly advised to apply the April 2026 Critical Patch Update promptly to address this and other vulnerabilities. Since the advisory does not explicitly confirm the patch status for CVE-2026-34317, users should verify patch availability and applicability in the official Oracle patch documentation linked in the advisory. Until patched, restrict access to the infrastructure where MySQL Shell runs to trusted users only and limit opportunities for social engineering that could induce user interaction.