CVE-2026-46850 Overview
CVE-2026-46850 is a code injection vulnerability ([CWE-94]) in the Oracle MySQL Shell product, specifically the Shell for VS Code component. The flaw affects MySQL Shell version 2026.2.0+9.6.1 and allows a low-privileged attacker with network access over HTTP to compromise MySQL Shell. The vulnerability carries a scope change, meaning successful exploitation can impact resources beyond the vulnerable component. Oracle published the advisory on June 17, 2026 as part of its Critical Patch Update cycle.
Critical Impact
Successful exploitation results in full takeover of MySQL Shell with confidentiality, integrity, and availability impact extending to additional products through scope change.
Affected Products
- Oracle MySQL Shell 2026.2.0+9.6.1
- MySQL Shell for VS Code extension component
- Downstream products integrating with MySQL Shell (scope change)
Discovery Timeline
- 2026-06-17 - CVE-2026-46850 published to NVD via Oracle Critical Patch Update
- 2026-06-18 - Last updated in NVD database
Technical Details for CVE-2026-46850
Vulnerability Analysis
The vulnerability resides in the Shell for VS Code component of Oracle MySQL Shell. It is categorized as Improper Control of Generation of Code ([CWE-94]), commonly referred to as code injection. An attacker authenticated with low privileges can reach the affected interface over HTTP and inject code that the MySQL Shell process subsequently executes. Because the issue triggers a scope change, code running in the MySQL Shell context can affect components outside the original security boundary, including products that consume MySQL Shell output or share its execution environment.
Root Cause
The root cause is improper neutralization of attacker-controlled input that the Shell for VS Code component incorporates into a code construct. When the component processes the malicious payload, the runtime interprets attacker-supplied data as executable code rather than inert data. This pattern is typical of [CWE-94] defects in extension or shell front-ends that evaluate dynamic content received through network channels.
Attack Vector
Exploitation requires network access via HTTP and a low-privileged account on the targeted environment. No user interaction is required. The attacker sends crafted input to the Shell for VS Code interface, which is then evaluated by MySQL Shell. Refer to the Oracle Security Alert for vendor-specific exploitation context. No public proof-of-concept code has been published, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.483%.
// No verified public exploit code is available for CVE-2026-46850.
// See the Oracle Critical Patch Update advisory for technical details.
Detection Methods for CVE-2026-46850
Indicators of Compromise
- Unexpected outbound or lateral connections originating from processes spawned by MySQL Shell or VS Code extension host
- Anomalous child processes of mysqlsh or the VS Code extension worker invoking shells, interpreters, or download utilities
- HTTP requests to the MySQL Shell for VS Code listener containing script delimiters, backticks, or template literal syntax
Detection Strategies
- Inspect HTTP traffic reaching MySQL Shell endpoints for payloads consistent with JavaScript or Python evaluation primitives
- Correlate authentication events for low-privileged MySQL accounts with subsequent shell command execution on the host
- Hunt for newly created files or scheduled tasks written by the MySQL Shell process tree following HTTP activity
Monitoring Recommendations
- Enable verbose logging on MySQL Shell and forward logs to a centralized analytics platform for retention and search
- Monitor process lineage from VS Code extension hosts and alert on execution of interpreters, cmd.exe, powershell.exe, or /bin/sh
- Track Oracle Critical Patch Update advisories and align detection content with newly disclosed MySQL Shell defects
How to Mitigate CVE-2026-46850
Immediate Actions Required
- Apply the Oracle MySQL Shell update referenced in the June 2026 Critical Patch Update on all systems running version 2026.2.0+9.6.1
- Restrict network access to the MySQL Shell for VS Code listener to trusted developer workstations only
- Audit MySQL Shell accounts and remove unused low-privileged users that could be abused as a pivot
Patch Information
Oracle published the fix in the June 2026 Critical Patch Update. Review the Oracle Security Alert for the specific patched build and apply it across all affected MySQL Shell installations. Verify the installed version after patching to confirm remediation.
Workarounds
- Disable or uninstall the MySQL Shell for VS Code extension on hosts that do not require it until patches are deployed
- Enforce host-based firewall rules that block HTTP access to MySQL Shell from untrusted networks
- Require multi-factor authentication and least privilege for all MySQL accounts that can reach the Shell interface
# Verify installed MySQL Shell version and check for the vulnerable build
mysqlsh --version
# Example host-based firewall rule restricting MySQL Shell HTTP listener
# Adjust the port and source range to match your environment
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

