CVE-2026-46861: Vulnerability in the MySQL NDB Cluster product of Oracle MySQL (component: Cluster: NDB Operator)
Vulnerability in the MySQL NDB Cluster product of Oracle MySQL (component: Cluster: NDB Operator). Supported versions that are affected are 8.0.11-8.0.46, 8.4.0-8.4.9 and 9.0.0-9.7.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise MySQL NDB Cluster. While the vulnerability is in MySQL NDB Cluster, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL NDB Cluster accessible data as well as unauthorized access to critical data or complete access to all MySQL NDB Cluster accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An authorization or access-control vulnerability in the MySQL NDB Cluster NDB Operator component allows a low-privileged attacker to reach the service over the network via HTTP and fully compromise the cluster. No authentication beyond a basic low-privilege account is needed, and no victim interaction is required. Successful exploitation gives the attacker complete read access to all cluster data and the ability to create, modify, or delete any data in the cluster, with a scope change that means other products sharing the environment can also be affected. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment upstream ships a fix.
HarborGuard Coverage
Detection of CVE-2026-46861 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle MySQL NDB Cluster components.
AvailableTriage is available using the CVSS 3.1 base score of 9.6 (Critical), weighted further by each customer organization's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer environment based on configured ownership rules.
AvailableBecause no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle ships a corrected release for any of the affected version lines (8.0.x, 8.4.x, or 9.x). For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the NDB Operator HTTP endpoint over the network; the service is exposed via HTTP and reachable from any host with network access to it.
- AuthenticationRequired
A low-privilege account is sufficient; the attacker does not need administrative or elevated credentials, but some valid credential is required.
- Victim interactionNot required
No user or administrator action is needed to trigger the vulnerability; the attacker can exploit it entirely through their own requests.
- Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of target-specific state.
Blast Radius
- Reads all data stored in the MySQL NDB Cluster, including tables the attacker's account was not explicitly granted access to.
- Creates, modifies, or deletes any rows or objects within the NDB Cluster, including critical or privileged data.
- The scope change means other products or services running alongside the NDB Cluster in the same environment can also be compromised as a result of a successful attack.
How HarborGuard Handles This
Available on HarborGuard: because no upstream patch exists yet for CVE-2026-46861, HarborGuard re-evaluates the Oracle advisory on every feed-ingest cycle (typically running continuously throughout the day) and will surface a patched-image rebuild the moment a fix is published for any of the affected MySQL NDB Cluster lines (8.0.11-8.0.46, 8.4.0-8.4.9, 9.0.0-9.7.0). In the interim, compensating controls that can be applied within each customer environment include network-policy isolation to restrict HTTP access to the NDB Operator endpoint to only trusted internal CIDR ranges, egress filtering to limit what the Operator process can reach if compromised, and auditing or revoking low-privilege accounts that do not require NDB Operator access. For customers with auto-remediation enabled, once a fix version is available, HarborGuard will automatically trigger a rebuild, run a regression test suite against the new image, and open a PR against any affected workloads, with typical median time from CVE patch publication to merged PR for Critical-severity issues around 90 minutes in those environments.
- Oracle Corporation / MySQL NDB Cluster≤ 8.0.46 · ≤ 8.4.9 · ≤ 9.7.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N