Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46850

CVE-2026-46850: Oracle MySQL Shell RCE Vulnerability

CVE-2026-46850 is a critical remote code execution vulnerability in Oracle MySQL Shell for VS Code that enables complete system takeover. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-46850 Overview

CVE-2026-46850 is a code injection vulnerability ([CWE-94]) in the Oracle MySQL Shell product, specifically the Shell for VS Code component. The flaw affects MySQL Shell version 2026.2.0+9.6.1 and allows a low-privileged attacker with network access over HTTP to compromise MySQL Shell. The vulnerability carries a scope change, meaning successful exploitation can impact resources beyond the vulnerable component. Oracle published the advisory on June 17, 2026 as part of its Critical Patch Update cycle.

Critical Impact

Successful exploitation results in full takeover of MySQL Shell with confidentiality, integrity, and availability impact extending to additional products through scope change.

Affected Products

  • Oracle MySQL Shell 2026.2.0+9.6.1
  • MySQL Shell for VS Code extension component
  • Downstream products integrating with MySQL Shell (scope change)

Discovery Timeline

  • 2026-06-17 - CVE-2026-46850 published to NVD via Oracle Critical Patch Update
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-46850

Vulnerability Analysis

The vulnerability resides in the Shell for VS Code component of Oracle MySQL Shell. It is categorized as Improper Control of Generation of Code ([CWE-94]), commonly referred to as code injection. An attacker authenticated with low privileges can reach the affected interface over HTTP and inject code that the MySQL Shell process subsequently executes. Because the issue triggers a scope change, code running in the MySQL Shell context can affect components outside the original security boundary, including products that consume MySQL Shell output or share its execution environment.

Root Cause

The root cause is improper neutralization of attacker-controlled input that the Shell for VS Code component incorporates into a code construct. When the component processes the malicious payload, the runtime interprets attacker-supplied data as executable code rather than inert data. This pattern is typical of [CWE-94] defects in extension or shell front-ends that evaluate dynamic content received through network channels.

Attack Vector

Exploitation requires network access via HTTP and a low-privileged account on the targeted environment. No user interaction is required. The attacker sends crafted input to the Shell for VS Code interface, which is then evaluated by MySQL Shell. Refer to the Oracle Security Alert for vendor-specific exploitation context. No public proof-of-concept code has been published, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.483%.

// No verified public exploit code is available for CVE-2026-46850.
// See the Oracle Critical Patch Update advisory for technical details.

Detection Methods for CVE-2026-46850

Indicators of Compromise

  • Unexpected outbound or lateral connections originating from processes spawned by MySQL Shell or VS Code extension host
  • Anomalous child processes of mysqlsh or the VS Code extension worker invoking shells, interpreters, or download utilities
  • HTTP requests to the MySQL Shell for VS Code listener containing script delimiters, backticks, or template literal syntax

Detection Strategies

  • Inspect HTTP traffic reaching MySQL Shell endpoints for payloads consistent with JavaScript or Python evaluation primitives
  • Correlate authentication events for low-privileged MySQL accounts with subsequent shell command execution on the host
  • Hunt for newly created files or scheduled tasks written by the MySQL Shell process tree following HTTP activity

Monitoring Recommendations

  • Enable verbose logging on MySQL Shell and forward logs to a centralized analytics platform for retention and search
  • Monitor process lineage from VS Code extension hosts and alert on execution of interpreters, cmd.exe, powershell.exe, or /bin/sh
  • Track Oracle Critical Patch Update advisories and align detection content with newly disclosed MySQL Shell defects

How to Mitigate CVE-2026-46850

Immediate Actions Required

  • Apply the Oracle MySQL Shell update referenced in the June 2026 Critical Patch Update on all systems running version 2026.2.0+9.6.1
  • Restrict network access to the MySQL Shell for VS Code listener to trusted developer workstations only
  • Audit MySQL Shell accounts and remove unused low-privileged users that could be abused as a pivot

Patch Information

Oracle published the fix in the June 2026 Critical Patch Update. Review the Oracle Security Alert for the specific patched build and apply it across all affected MySQL Shell installations. Verify the installed version after patching to confirm remediation.

Workarounds

  • Disable or uninstall the MySQL Shell for VS Code extension on hosts that do not require it until patches are deployed
  • Enforce host-based firewall rules that block HTTP access to MySQL Shell from untrusted networks
  • Require multi-factor authentication and least privilege for all MySQL accounts that can reach the Shell interface
bash
# Verify installed MySQL Shell version and check for the vulnerable build
mysqlsh --version

# Example host-based firewall rule restricting MySQL Shell HTTP listener
# Adjust the port and source range to match your environment
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.