CVE-2026-46869: Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Shell. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data. in Oracle Corporation MySQL Shell
CVE-2026-46869 is a vulnerability in Oracle MySQL Shell affecting versions 8.4.0 through 8.4.9 and 9.0.0 through 9.7.0. It allows an unauthenticated attacker with network access via multiple protocols to compromise MySQL Shell. Successful exploitation requires human interaction from a user other than the attacker. The vulnerability can lead to unauthorized access to critical or all data accessible by MySQL Shell. The CVSS 3.1 base score is 6.5, indicating a medium severity focused on confidentiality impact. Oracle has included this vulnerability in its June 2026 Critical Security Patch Update, which provides patches for affected versions. Oracle strongly recommends applying these patches promptly to mitigate the risk. Until patches are applied, risk reduction may be possible by blocking required network protocols or removing unnecessary privileges, though these may impact functionality.
AI Analysis
Technical Summary
CVE-2026-46869 is a medium severity vulnerability in Oracle MySQL Shell's Dump and Load component affecting versions 8.4.0-8.4.9 and 9.0.0-9.7.0. It permits an unauthenticated attacker with network access via multiple protocols to compromise MySQL Shell, contingent on user interaction from a non-attacker. Exploitation can result in unauthorized access to critical or all data accessible through MySQL Shell. The vulnerability has a CVSS 3.1 score of 6.5 with a vector indicating network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, and high confidentiality impact. Oracle has addressed this vulnerability in its June 2026 Critical Security Patch Update, which includes patches for MySQL Shell among other products. Oracle advises customers to apply these patches without delay and provides guidance on temporary risk reduction measures such as blocking network protocols or limiting privileges, acknowledging potential impacts on application functionality.
Potential Impact
Successful exploitation of this vulnerability can lead to unauthorized access to critical or all data accessible by MySQL Shell. The confidentiality of data is impacted, but integrity and availability are not affected according to the CVSS vector. The attack requires network access and user interaction from a person other than the attacker. There are no known exploits in the wild at this time.
Mitigation Recommendations
Oracle has released patches for this vulnerability as part of the June 2026 Critical Security Patch Update. Customers are strongly advised to apply these security patches promptly to mitigate the risk. Until patches are applied, risk may be reduced by blocking network protocols required by the attack or by removing unnecessary privileges from users, though these measures may affect application functionality. Patch status is confirmed by Oracle's advisory: a fix is available. Refer to the Oracle advisory at https://www.oracle.com/security-alerts/cspujun2026.html for detailed patch availability and installation instructions.
CVE-2026-46869: Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Shell. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data. in Oracle Corporation MySQL Shell
Description
CVE-2026-46869 is a vulnerability in Oracle MySQL Shell affecting versions 8.4.0 through 8.4.9 and 9.0.0 through 9.7.0. It allows an unauthenticated attacker with network access via multiple protocols to compromise MySQL Shell. Successful exploitation requires human interaction from a user other than the attacker. The vulnerability can lead to unauthorized access to critical or all data accessible by MySQL Shell. The CVSS 3.1 base score is 6.5, indicating a medium severity focused on confidentiality impact. Oracle has included this vulnerability in its June 2026 Critical Security Patch Update, which provides patches for affected versions. Oracle strongly recommends applying these patches promptly to mitigate the risk. Until patches are applied, risk reduction may be possible by blocking required network protocols or removing unnecessary privileges, though these may impact functionality.
CVSS v3.1
Score 6.5medium
Affected software
pkg:github/mysql/mysql-shellRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-46869 is a medium severity vulnerability in Oracle MySQL Shell's Dump and Load component affecting versions 8.4.0-8.4.9 and 9.0.0-9.7.0. It permits an unauthenticated attacker with network access via multiple protocols to compromise MySQL Shell, contingent on user interaction from a non-attacker. Exploitation can result in unauthorized access to critical or all data accessible through MySQL Shell. The vulnerability has a CVSS 3.1 score of 6.5 with a vector indicating network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, and high confidentiality impact. Oracle has addressed this vulnerability in its June 2026 Critical Security Patch Update, which includes patches for MySQL Shell among other products. Oracle advises customers to apply these patches without delay and provides guidance on temporary risk reduction measures such as blocking network protocols or limiting privileges, acknowledging potential impacts on application functionality.
Potential Impact
Successful exploitation of this vulnerability can lead to unauthorized access to critical or all data accessible by MySQL Shell. The confidentiality of data is impacted, but integrity and availability are not affected according to the CVSS vector. The attack requires network access and user interaction from a person other than the attacker. There are no known exploits in the wild at this time.
Mitigation Recommendations
Oracle has released patches for this vulnerability as part of the June 2026 Critical Security Patch Update. Customers are strongly advised to apply these security patches promptly to mitigate the risk. Until patches are applied, risk may be reduced by blocking network protocols required by the attack or by removing unnecessary privileges from users, though these measures may affect application functionality. Patch status is confirmed by Oracle's advisory: a fix is available. Refer to the Oracle advisory at https://www.oracle.com/security-alerts/cspujun2026.html for detailed patch availability and installation instructions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-05-18T15:55:10.308Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cspujun2026.html","vendor":"Oracle"}]
Threat ID: 6a31b61e0b89be6888265b9f
Added to database: 6/16/2026, 8:46:22 PM
Last enriched: 6/16/2026, 10:01:06 PM
Last updated: 6/17/2026, 4:57:00 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.