This advisory covers a Critical Security Patch Update from Oracle issued in June 2026 that addresses multiple security vulnerabilities in Oracle MySQL products such as MySQL Shell, MySQL Router, MySQL NDB Cluster, and MySQL Server, among others. The update includes 245 new security patches across various Oracle product families. The vulnerabilities are identified by multiple CVEs including CVE-2026-46850 and related CVEs. Oracle emphasizes the importance of applying patches promptly to prevent exploitation. The affected versions include MySQL Cluster versions 8.0.11-8.0.46, 8.4.0-8.4.9, 9.0.0-9.7.0; MySQL NDB Cluster versions 8.0.11-8.0.46, 8.4.0-8.4.9, 9.0.0-9.7.0; MySQL Router versions 8.4.0-8.4.9, 9.0.0-9.7.0; MySQL Server versions 8.4.0-8.4.9, 9.0.0-9.7.0; and MySQL Shell versions 8.4.0-8.4.9, 9.0.0-9.7.0, and 2026.2.0+9.6.1. Oracle does not disclose detailed exploitability information but provides risk matrices for customer risk analysis. No known exploits in the wild have been reported.

The vulnerabilities addressed by this Critical Security Patch Update affect multiple Oracle MySQL products and other Oracle software, potentially allowing attackers to exploit security weaknesses if patches are not applied. Oracle reports no known exploits in the wild but notes that attackers have previously succeeded when patches were not applied. The impact depends on the specific vulnerabilities patched but is considered significant enough to warrant a critical security update with 245 patches across many products.

Oracle strongly recommends that customers apply the June 2026 Critical Security Patch Update promptly to mitigate the vulnerabilities. Until patches are applied, risk may be reduced by blocking network protocols required by potential attacks and removing unnecessary privileges or package access from users. Oracle advises remaining on actively-supported versions and applying security patches without delay. No alternative mitigations or 'no action required' statements are provided by the vendor.