Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46869

CVE-2026-46869: MySQL Shell Authentication Bypass Flaw

CVE-2026-46869 is an authentication bypass vulnerability in Oracle MySQL Shell versions 8.4.0-8.4.9 and 9.0.0-9.7.0. This flaw allows unauthorized access to critical data. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-46869 Overview

CVE-2026-46869 affects the Dump and Load component of Oracle MySQL Shell. The flaw allows an unauthenticated attacker with network access to compromise MySQL Shell when a user performs a required action. Successful exploitation can result in unauthorized access to critical data or complete read access to all data accessible through MySQL Shell. Oracle disclosed the issue in the June 2026 Critical Patch Update. The vulnerability is classified under [CWE-352] (Cross-Site Request Forgery) and impacts confidentiality only.

Critical Impact

An unauthenticated attacker can trick a MySQL Shell user into triggering a request that exposes data accessible through MySQL Shell, with no integrity or availability impact.

Affected Products

  • Oracle MySQL Shell versions 8.4.0 through 8.4.9
  • Oracle MySQL Shell versions 9.0.0 through 9.7.0
  • Component: Shell: Dump and Load

Discovery Timeline

Technical Details for CVE-2026-46869

Vulnerability Analysis

The vulnerability resides in the Dump and Load component of MySQL Shell. MySQL Shell is the official administrative client for MySQL Server, supporting JavaScript, Python, and SQL modes. The Dump and Load utilities export and import database content for backup, migration, and replication workflows.

The issue is categorized as Cross-Site Request Forgery [CWE-352]. An attacker delivers a crafted request over the network that the MySQL Shell client processes when the targeted user interacts with attacker-controlled content. The required user interaction makes phishing or social engineering the most plausible delivery path. The attack does not require authentication on the target system.

Impact is restricted to confidentiality. The CVSS vector indicates no integrity or availability impact, meaning the attacker cannot modify dumped data or disrupt Shell operations through this flaw alone. Disclosed data may include any content the Shell session can access during dump or load operations.

Root Cause

The root cause is the absence of sufficient request origin validation in the Dump and Load component. Under [CWE-352], the component honors requests without verifying that they were intentionally initiated by the authenticated user, allowing externally crafted requests to drive Shell operations.

Attack Vector

The attacker stages a malicious page, document, or message containing a crafted request. When a MySQL Shell user interacts with the lure, the Shell processes the forged request and returns data accessible to its session. Multiple protocols are reachable across the network, increasing delivery options. No credentials or prior access on the victim host are required.

No verified exploit code is publicly available. Refer to the Oracle Critical Patch Update Advisory - June 2026 for vendor technical details.

Detection Methods for CVE-2026-46869

Indicators of Compromise

  • Unexpected outbound connections from hosts running mysqlsh to untrusted endpoints during or shortly after user-driven Shell sessions.
  • MySQL Shell dump artifacts written to or read from unusual file paths, network shares, or URLs not associated with sanctioned backup workflows.
  • Phishing messages directing database administrators to open URLs, scripts, or files that invoke MySQL Shell utilities.

Detection Strategies

  • Inventory all workstations and jump hosts running MySQL Shell versions in the affected ranges (8.4.08.4.9 and 9.0.09.7.0).
  • Alert on mysqlsh process executions that load remote URLs or untrusted scripts via the Dump and Load utilities.
  • Correlate MySQL Shell session activity with browser or email client activity on the same host to flag interaction-driven invocations.

Monitoring Recommendations

  • Forward mysqlsh process telemetry, command-line arguments, and child process events to the SIEM for review.
  • Monitor egress traffic from administrator workstations for connections to non-corporate hosts during dump or load operations.
  • Audit MySQL server logs for unusual dump requests originating from Shell clients outside normal maintenance windows.

How to Mitigate CVE-2026-46869

Immediate Actions Required

  • Apply the fixes from the Oracle Critical Patch Update Advisory - June 2026 to all MySQL Shell installations.
  • Restrict MySQL Shell usage to dedicated administrative workstations that are isolated from general web browsing and email.
  • Brief database administrators on the social engineering vector and require verification of any externally sourced Shell scripts or dump targets.

Patch Information

Oracle addressed CVE-2026-46869 in the June 2026 Critical Patch Update. Upgrade MySQL Shell to a fixed release beyond 8.4.9 for the 8.4 branch and beyond 9.7.0 for the 9.x branch as specified in the advisory. Validate the installed version with mysqlsh --version after patching.

Workarounds

  • Disallow execution of MySQL Shell on endpoints that handle email and web browsing until patches are deployed.
  • Block outbound network access from administrator workstations to untrusted destinations during Shell sessions using host firewalls or egress filters.
  • Require Shell scripts and dump configurations to be sourced from version-controlled, signed internal repositories only.
bash
# Verify MySQL Shell version and upgrade on Linux
mysqlsh --version
# Example upgrade via Oracle MySQL APT repository
sudo apt-get update
sudo apt-get install --only-upgrade mysql-shell
mysqlsh --version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.