External risk intelligence

MySQL Shell for VS Code Remote Takeover Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-46850

A critical vulnerability exists in MySQL Shell for VS Code, allowing a low-privileged attacker with network access to compromise the shell and potentially affect other products. This easily exploitable flaw could lead to a complete takeover of MySQL Shell, impacting confidentiality, integrity, and availability.

1Halo Surface Signal

Code Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-46850

The vulnerability affects a plugin specifically designed for the VS Code development environment. As a developer-focused tool used within a local IDE, it is not deployed as an internet-facing service, web application, or edge gateway in standard network configurations.

PCI scan relevance

PCI Relevance for CVE-2026-46850

Yes

CVE-2026-46850 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in MySQL Shell allows a low-privileged attacker with network access to compromise the shell, potentially impacting additional products. Successful attacks can lead to a complete takeover.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in MySQL Shell, specifically within its VS Code integration, could allow a low-privileged attacker with network access to compromise the shell and potentially impact other connected products. The issue has a high severity score, indicating significant potential impacts on confidentiality, integrity, and availability.

  • A serious flaw impacts MySQL's developer tool.
  • It could let attackers gain broad system control.
  • Confirm relevance and scope of affected systems.

Attack Path

How an attacker could exploit the issue

An attacker with network access and low privileges could exploit this vulnerability by targeting the MySQL Shell component within Oracle MySQL. The attack leverages an easily exploitable flaw that, when triggered, can lead to a complete takeover of the MySQL Shell, with potential significant impacts on additional products.

  • Network access and low privileges required.
  • Compromise of MySQL Shell via HTTP.
  • Full control of the affected application.

Live Threat

Current exploitation, exposure, and threat context

A low-privileged attacker with network access could exploit this vulnerability to take over MySQL Shell. This takeover could then impact other connected products, potentially leading to significant confidentiality, integrity, and availability issues.

  • MySQL Shell and connected products.
  • Exploitation over HTTP by a remote attacker.
  • Full compromise of affected systems.

Operational Fix

Recommended remediation, mitigation, and detection steps

The MySQL Shell product, specifically its integration with VS Code, is likely managed by application owners or development teams. The initial focus should be on discovering where this technology is deployed, assessing its business criticality and network exposure, and identifying the accountable owner to plan remediation.

  • Own the issue: Application or development teams.
  • Verify first: Identify and assess exposure.
  • Action: Plan remediation based on risk.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is MySQL Shell for VS Code?

MySQL Shell for VS Code is an extension that integrates MySQL database management tools directly into the Visual Studio Code development environment. It is used by developers to write, test, and manage database queries and scripts, providing a streamlined workflow for interacting with MySQL databases from within their code editor.

What does CWE-94 mean for CVE-2026-46850?

This vulnerability is classified as CWE-94, which refers to Improper Control of Generation of Code. In plain terms, this means the software incorrectly handles or executes data as if it were valid code. Because of this flaw, an attacker can trick the system into running malicious instructions, potentially leading to a complete takeover of the MySQL Shell application.

How is this vulnerability triggered?

An attacker triggers this flaw by sending a specifically crafted request over HTTP to the affected MySQL Shell component. Because it requires network access, it cannot be triggered by local operations that do not involve external network communication. Simply having the extension installed is not enough; the attacker must be able to interact with the component via the network to initiate the exploit.

Is my environment at risk from this CVE?

According to Halo Surface Signal, this vulnerability is considered very unlikely to be exposed. Because the affected software is a developer tool designed to run locally within an IDE, it typically does not act as an internet-facing service or web application. You are generally at lower risk unless your specific configuration exposes this internal development tool to broader network access.

What steps should I take if I use MySQL Shell?

First, verify where this extension is installed across your development environments. Identify which teams or individuals are using it so you can coordinate with them. Focus on assessing whether any instances are inadvertently reachable over a network rather than restricted to a local machine. Once identified, work with your development leads to plan for necessary software updates.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished