How is CVE-2026-46862 exploited?

Network reachability (required): The attacker must be able to reach the MySQL Router service over the network via TLS; there is no requirement for local or physical access. Authentication (not-required): No credentials of any kind are needed; the vulnerability is reachable by any unauthenticated network client. Victim interaction (not-required): The attack is fully one-sided and requires no action from any user or administrator. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions or special environmental factors must be aligned for the attack to succeed.

What is the impact of CVE-2026-46862?

Crashes or hangs the MySQL Router process, cutting off all database connections routed through it. Applications that depend on MySQL Router for load balancing or failover lose connectivity for the duration of the outage. Repeated, easily triggered crashes can sustain a prolonged denial of service without requiring the attacker to maintain a persistent foothold.

Back to search

HIGHCVE-2026-46862Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-46862: Vulnerability in the MySQL Router product of Oracle MySQL (component: Router: General)

Vulnerability in the MySQL Router product of Oracle MySQL (component: Router: General). Supported versions that are affected are 8.4.0-8.4.9 and 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise MySQL Router. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Router. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in Oracle MySQL Router, affecting versions 8.4.0 through 8.4.9 and 9.0.0 through 9.7.0. An unauthenticated attacker with network access can send crafted TLS traffic to trigger a hang or repeated crash of the MySQL Router process, requiring no credentials and no victim interaction. No fix versions have been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle MySQL Router. Any image running an affected version (8.4.0-8.4.9 or 9.0.0-9.7.0) will surface a finding automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 (High) and weights it against each environment's compliance policy to determine urgency and routing. The finding is routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment Oracle ships a corrected version. In the meantime, customers with auto-remediation enabled will receive an alert with compensating-control guidance rather than a premature rebuild.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the MySQL Router service over the network via TLS; there is no requirement for local or physical access.
AuthenticationNot required
No credentials of any kind are needed; the vulnerability is reachable by any unauthenticated network client.
Victim interactionNot required
The attack is fully one-sided and requires no action from any user or administrator.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or special environmental factors must be aligned for the attack to succeed.

Blast Radius

Crashes or hangs the MySQL Router process, cutting off all database connections routed through it.
Applications that depend on MySQL Router for load balancing or failover lose connectivity for the duration of the outage.
Repeated, easily triggered crashes can sustain a prolonged denial of service without requiring the attacker to maintain a persistent foothold.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-46862, HarborGuard monitors the Oracle advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix version is published. Until then, customers are encouraged to apply compensating controls such as restricting TLS access to MySQL Router using network policy (allowlisting only trusted client CIDRs), placing MySQL Router behind an authenticated proxy or VPN gateway to eliminate unauthenticated network exposure, and enabling HarborGuard alerting so any change in advisory status, including a new fix release, triggers an immediate notification. For customers with auto-remediation enabled, a rebuild and regression run will be queued and a PR opened against affected workloads as soon as an upstream fix is available.

See how HarborGuard automates this

Affected packages

Oracle Corporation / MySQL Router
≤ 8.4.9 · ≤ 9.7.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Oracle Advisory

Metrics

Get notified