{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34318", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-03-26T19:48:45.681Z", "datePublished": "2026-04-21T20:35:39.679Z", "dateUpdated": "2026-04-21T20:35:39.679Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:35:39.679Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "MySQL Shell", "versions": [{"version": "8.0.0", "status": "affected", "lessThanOrEqual": "8.0.45", "versionType": "custom"}, {"version": "8.4.0", "status": "affected", "lessThanOrEqual": "8.4.8", "versionType": "custom"}, {"version": "9.0.0", "status": "affected", "lessThanOrEqual": "9.6.0", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:mysql_shell:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndIncluding": "8.0.45"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:mysql_shell:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.4.0", "versionEndIncluding": "8.4.8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:mysql_shell:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndIncluding": "9.6.0"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM"}}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N)."}], "id": "CVE-2026-34318", "lastModified": "2026-04-21T21:16:37.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 4.0, "source": "secalert_us@oracle.com", "type": "Primary"}]}, "published": "2026-04-21T21:16:37.327", "references": [{"source": "secalert_us@oracle.com", "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.0.45]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.4.0,8.4.8]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.6.0]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "MySQL Shell", "source": "cna", "vendor": "Oracle Corporation"}, "product": "mysql_shell", "vendor": "oracle"}], "analysis": {"en": {"generated_at": "2026-04-22T04:52:23.841477+00:00", "value": {"mitigation_remediation": ["Apply the latest MySQL Shell update that addresses the Shell Core Client flaw as detailed in the Oracle CPU\u2011APR\u20112026 advisory.", "Restrict network exposure of MySQL Shell by allowing connections only from trusted IP ranges or via secure tunnels, and ensure that only the necessary protocols are enabled.", "Enforce the principle of least privilege on MySQL Shell user accounts, regularly reviewing and tightening permissions to prevent unauthorized data access."], "summary": {"action": "Patch promptly", "impact": "Confidentiality compromise via unauthorized data access"}, "threat_synthesis": {"affected_systems": "The affected products are Oracle Corporation\u2019s MySQL Shell. Vulnerable releases span the 8.0.x, 8.4.x, and 9.0.x series as specified above.", "description_and_impact": "Oracle MySQL Shell versions 8.0.0\u20118.0.45, 8.4.0\u20118.4.8, and 9.0.0\u20119.6.0 contain a defect in the Shell Core Client that can be triggered by a high\u2011privileged attacker who already has network access. While the vulnerability is difficult to exploit, a successful attack enables the attacker to obtain unauthorized access to all data that the Shell can reach, effectively compromising confidentiality of any MySQL data exposed through these interfaces.", "risk_and_exploitability": "The CVSS v3.1 base score of 5.8 reflects a moderate confidentiality impact, and the vulnerability is not currently listed in the CISA KEV catalog. The lack of an EPSS score implies no publicly reported exploitation yet, but the possibility of a scope change means other related components could also be impacted if the Shell is used as a gateway. The attack requires high privileges on the host system and network connectivity to the Shell, so restricting external access and enforcing strong authentication can reduce the likelihood of exploitation."}}}}, "created": "2026-04-22T03:00:06.532788+00:00", "title": "Unauthorized Access via Improper Access Control in Oracle MySQL Shell", "updated": "2026-04-22T05:00:09.523706+00:00", "vendors": ["oracle", "oracle$PRODUCT$mysql_shell"], "weaknesses": ["CWE-284"]}