CVE-2026-46860
Oracle has fixed vulnerabilities in Oracle MySQL Shell for VS Code, MySQL Router, MySQL NDB Cluster, and MySQL Server. The vulnerabilities are present in various Oracle MySQL products and versions. In MySQL Shell for VS Code (version 2026.2.0+9.6.1), attackers with low privileges and network access via HTTP or user-interactive network access can gain full control over the MySQL Shell or unauthorized access to critical data. In MySQL Router (versions 8.4.0 to 8.4.9 and 9.0.0 to 9.7.0), unauthenticated attackers can achieve full device takeover or cause a denial-of-service by crashing or hanging the system via HTTP or TLS. MySQL NDB Cluster (versions 8.0.11 to 8.0.46, 8.4.0 to 8.4.9, and 9.0.0 to 9.7.0) contains a vulnerability that allows an attacker with low privileges and network access via HTTP to create, delete, or modify unauthorized critical data. MySQL Server and MySQL Cluster contain a vulnerability that allows an unauthenticated network attacker to cause a denial-of-service by crashing or hanging the server. The vulnerabilities have various CVSS 3.1 base scores ranging from 6.5 to 9.9, depending on the product and the nature of the vulnerability.
CSIRTS triage
- What
- Vulnerabilities in various MySQL products could allow attackers to gain unauthorized access or cause denial-of-service.
- Who is affected
- Users of Oracle MySQL products with network access.
- Urgency
- Remediation is critical due to the potential for unauthorized access and system disruption.
- Action
- Users should apply the updates provided by Oracle.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2026-46860
Get an email if CVE-2026-46860 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.51% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 40% of all EPSS-scored CVEs.
Advisory coverage (1)
- unknownNCSC-2026-0205 [1.00] [M/H] Vulnerabilities fixed in Oracle MySQL productsncsc-nl · 2026-06-17
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-46860)