Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-22001

CVE-2026-22001: Oracle MySQL Server Information Disclosure

CVE-2026-22001 is an information disclosure vulnerability in Oracle MySQL Server's Information Schema component that allows privileged attackers to access sensitive data. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2026-22001 Overview

CVE-2026-22001 is an information disclosure vulnerability in the Oracle MySQL Server Information Schema component. The flaw affects MySQL Server versions 8.0.0-8.0.45, 8.4.0-8.4.8, and 9.0.0-9.6.0. An authenticated attacker with high privileges and network access can exploit the issue across multiple protocols to gain unauthorized read access to a subset of MySQL Server data. The vulnerability is classified under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. Oracle disclosed the issue in the April 2026 Critical Patch Update.

Critical Impact

Authenticated attackers can read a subset of MySQL Server data through the Information Schema component, potentially exposing schema metadata or sensitive database contents.

Affected Products

  • Oracle MySQL Server 8.0.0 through 8.0.45
  • Oracle MySQL Server 8.4.0 through 8.4.8
  • Oracle MySQL Server 9.0.0 through 9.6.0

Discovery Timeline

  • 2026-04-21 - CVE-2026-22001 published to NVD as part of the Oracle April 2026 Critical Patch Update
  • 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2026-22001

Vulnerability Analysis

The vulnerability resides in the Information Schema subsystem of Oracle MySQL Server. Information Schema provides metadata views describing databases, tables, columns, privileges, and server configuration. The flaw allows a high-privileged authenticated user to retrieve information they should not be able to access through these metadata interfaces. The confidentiality impact is limited to a subset of accessible data, with no impact on integrity or availability.

The Exploit Prediction Scoring System (EPSS) probability is 0.03%, indicating a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, and no public proof-of-concept code is available.

Root Cause

The underlying issue is improper restriction of information returned by the Information Schema component [CWE-200]. The component fails to fully enforce privilege boundaries when serving metadata queries, allowing authorized but unauthorized-for-this-data users to observe content beyond their intended scope.

Attack Vector

Exploitation requires network access to the MySQL Server using one of multiple supported protocols, plus an authenticated account with high privileges already established. No user interaction is required, and attack complexity is low. The attacker issues crafted queries against INFORMATION_SCHEMA tables or views to retrieve data outside the scope of their granted permissions. Refer to the Oracle Critical Patch Update April 2026 for detailed technical notes.

Detection Methods for CVE-2026-22001

Indicators of Compromise

  • Unusual volume of queries against INFORMATION_SCHEMA tables such as TABLES, COLUMNS, USER_PRIVILEGES, or SCHEMATA from administrative accounts
  • Queries enumerating database metadata that fall outside the user's normal operational pattern
  • Authenticated sessions from privileged accounts originating from unexpected network locations

Detection Strategies

  • Enable the MySQL general query log or audit plugin to record all Information Schema queries with timestamps and source identifiers
  • Correlate privileged account activity against baselines to flag metadata enumeration outside normal workflows
  • Alert on cross-schema metadata reads from accounts not associated with database administration roles

Monitoring Recommendations

  • Forward MySQL audit logs to a centralized SIEM for retention and correlation across sessions
  • Track authentication events for high-privileged MySQL accounts and review access from new hosts
  • Monitor process and network telemetry on MySQL hosts to identify privilege misuse following compromise of an administrative credential

How to Mitigate CVE-2026-22001

Immediate Actions Required

  • Apply the April 2026 Oracle Critical Patch Update to all affected MySQL Server instances
  • Inventory MySQL deployments and identify versions in the 8.0.x, 8.4.x, and 9.0.x-9.6.x ranges
  • Audit accounts with high-privilege roles such as SUPER, PROCESS, or broad SELECT grants and remove unnecessary privileges
  • Rotate credentials for privileged database accounts as a precaution

Patch Information

Oracle has released fixed versions through the April 2026 Critical Patch Update. Refer to the Oracle Critical Patch Update Advisory - April 2026 for specific patched build numbers and download instructions. Upgrade to a version beyond 8.0.45, 8.4.8, or 9.6.0 as indicated by Oracle's patch matrix.

Workarounds

  • Restrict network access to MySQL Server using firewall rules and bind the listener to internal interfaces only
  • Apply the principle of least privilege and avoid granting administrative roles unless strictly necessary
  • Require strong authentication and consider certificate-based or multi-factor mechanisms for administrative accounts
  • Enable audit logging to deter and detect misuse pending patch deployment
bash
# Configuration example - restrict privileges and enable audit logging
REVOKE PROCESS, SUPER ON *.* FROM 'app_user'@'%';
SET GLOBAL audit_log_policy = 'ALL';
SET GLOBAL audit_log_format = 'JSON';
FLUSH PRIVILEGES;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne