CVE-2026-46861: Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise MySQL NDB Cluster. While the vulnerability is in MySQL NDB Cluster, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL NDB Cluster accessible data as well as unauthorized access to critical data or complete access t
CVE-2026-46861 is a critical vulnerability in Oracle MySQL NDB Cluster that allows a low privileged attacker with network access via HTTP to compromise the cluster. Affected versions include 8.0.11 through 8.0.46, 8.4.0 through 8.4.9, and 9.0.0 through 9.7.0. Successful exploitation can lead to unauthorized creation, deletion, or modification of critical data, as well as unauthorized access to all data accessible by the cluster. The vulnerability has a CVSS 3.1 base score of 9.6, indicating high confidentiality and integrity impact with no availability impact. Oracle has released a Critical Security Patch Update addressing this and many other vulnerabilities, strongly recommending prompt patching. Mitigations include applying the official patches and potentially blocking network protocols required for exploitation or removing unnecessary privileges, though these may impact functionality.
AI Analysis
Technical Summary
CVE-2026-46861 is a critical vulnerability in the MySQL NDB Cluster component of Oracle MySQL, affecting versions 8.0.11-8.0.46, 8.4.0-8.4.9, and 9.0.0-9.7.0. It allows a low privileged attacker with network access via HTTP to compromise the cluster, resulting in unauthorized creation, deletion, or modification of critical data and unauthorized access to all data accessible by the cluster. The vulnerability has a CVSS 3.1 score of 9.6 with network attack vector, low attack complexity, low privileges required, no user interaction, scope change, and high confidentiality and integrity impacts. Oracle’s June 2026 Critical Security Patch Update includes patches for this vulnerability. Oracle strongly recommends applying these patches promptly to mitigate the risk. Until patched, risk reduction may be possible by blocking required network protocols or removing unnecessary privileges, though these measures may affect application functionality.
Potential Impact
Successful exploitation of CVE-2026-46861 can lead to unauthorized creation, deletion, or modification of critical data within MySQL NDB Cluster, as well as unauthorized access to all data accessible by the cluster. This impacts confidentiality and integrity of data but does not affect availability. The vulnerability is easily exploitable by a low privileged attacker with network access via HTTP, increasing the risk of compromise. The scope of impact may extend beyond MySQL NDB Cluster to additional products due to the nature of the cluster’s data access.
Mitigation Recommendations
Oracle has released a Critical Security Patch Update in June 2026 that includes patches addressing CVE-2026-46861. Customers are strongly advised to apply these official patches without delay. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation and by removing unnecessary privileges from users who do not need them. However, these mitigations may disrupt application functionality. Oracle recommends remaining on actively-supported versions and applying security patches promptly to prevent exploitation.
CVE-2026-46861: Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise MySQL NDB Cluster. While the vulnerability is in MySQL NDB Cluster, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL NDB Cluster accessible data as well as unauthorized access to critical data or complete access t
Description
CVE-2026-46861 is a critical vulnerability in Oracle MySQL NDB Cluster that allows a low privileged attacker with network access via HTTP to compromise the cluster. Affected versions include 8.0.11 through 8.0.46, 8.4.0 through 8.4.9, and 9.0.0 through 9.7.0. Successful exploitation can lead to unauthorized creation, deletion, or modification of critical data, as well as unauthorized access to all data accessible by the cluster. The vulnerability has a CVSS 3.1 base score of 9.6, indicating high confidentiality and integrity impact with no availability impact. Oracle has released a Critical Security Patch Update addressing this and many other vulnerabilities, strongly recommending prompt patching. Mitigations include applying the official patches and potentially blocking network protocols required for exploitation or removing unnecessary privileges, though these may impact functionality.
CVSS v3.1
Score 9.6critical
Affected software
pkg:maven/com.mysql/mysql-ndb-clusterRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-46861 is a critical vulnerability in the MySQL NDB Cluster component of Oracle MySQL, affecting versions 8.0.11-8.0.46, 8.4.0-8.4.9, and 9.0.0-9.7.0. It allows a low privileged attacker with network access via HTTP to compromise the cluster, resulting in unauthorized creation, deletion, or modification of critical data and unauthorized access to all data accessible by the cluster. The vulnerability has a CVSS 3.1 score of 9.6 with network attack vector, low attack complexity, low privileges required, no user interaction, scope change, and high confidentiality and integrity impacts. Oracle’s June 2026 Critical Security Patch Update includes patches for this vulnerability. Oracle strongly recommends applying these patches promptly to mitigate the risk. Until patched, risk reduction may be possible by blocking required network protocols or removing unnecessary privileges, though these measures may affect application functionality.
Potential Impact
Successful exploitation of CVE-2026-46861 can lead to unauthorized creation, deletion, or modification of critical data within MySQL NDB Cluster, as well as unauthorized access to all data accessible by the cluster. This impacts confidentiality and integrity of data but does not affect availability. The vulnerability is easily exploitable by a low privileged attacker with network access via HTTP, increasing the risk of compromise. The scope of impact may extend beyond MySQL NDB Cluster to additional products due to the nature of the cluster’s data access.
Mitigation Recommendations
Oracle has released a Critical Security Patch Update in June 2026 that includes patches addressing CVE-2026-46861. Customers are strongly advised to apply these official patches without delay. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation and by removing unnecessary privileges from users who do not need them. However, these mitigations may disrupt application functionality. Oracle recommends remaining on actively-supported versions and applying security patches promptly to prevent exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-05-18T15:55:10.307Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cspujun2026.html","vendor":"Oracle"}]
Threat ID: 6a31b61b0b89be6888265b45
Added to database: 6/16/2026, 8:46:19 PM
Last enriched: 6/16/2026, 10:01:15 PM
Last updated: 6/17/2026, 5:02:47 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.