CVE-2026-46850: Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell for VS Code)
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell for VS Code). The supported version that is affected is 2026.2.0+9.6.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Shell. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a critical-severity vulnerability in the Shell for VS Code component of Oracle MySQL Shell (version 2026.2.0+9.6.1). An attacker with a low-privilege account can reach the affected service over the network via HTTP and exploit it without any victim interaction, triggering a full takeover of MySQL Shell with scope change effects on other products running in the same environment. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available the moment Oracle ships a patch.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle MySQL Shell or the VS Code shell extension. Coverage applies to both registry scans and active pipeline checks.
AvailableHarborGuard is capable of scoring this CVE at its published CVSS v3.1 base score of 9.9 (Critical) and weighting that score against each environment's configured compliance policy. Triage routing is available to direct findings to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableBecause no fix version has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the affected MySQL Shell service over the network via HTTP; local or physical access is not required.
- AuthenticationRequired
Any low-privilege account is sufficient; no administrative or elevated credentials are needed beyond a basic authenticated session.
- Victim interactionNot required
No user action, click, or social-engineering step is needed; the attacker can exploit the service directly.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, special memory layout, or other environmental preconditions.
Blast Radius
- A successful attacker achieves full takeover of MySQL Shell, including the ability to read all data accessible to the shell process such as database credentials, query results, and session tokens.
- The attacker can modify or delete persisted data and configurations managed through the shell, including connected database schemas.
- The shell process can be crashed or made unavailable, disrupting developer and operational workflows that depend on it.
- Because the CVSS scope is changed, other products or services co-located in the same environment may also be compromised through lateral movement from the shell process.
How HarborGuard Handles This
Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46850, HarborGuard monitors the upstream advisory on every ingest cycle and will trigger a patched-image rebuild automatically as soon as a fix version is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads with no manual steps required. In the interim, compensating controls are worth considering: network policy isolation to restrict HTTP access to the MySQL Shell service to trusted source addresses only, egress filtering to limit outbound connections from the shell container, and disabling the Shell for VS Code component where it is not actively needed. Where compliance policy permits, HarborGuard can surface these compensating-control recommendations as inline annotations on the finding.
- Oracle Corporation / MySQL Shell2026.2.0+9.6.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H