External risk intelligence

MySQL Router HTTP Vulnerability Allows Takeover

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-46860

A critical vulnerability in Oracle's MySQL Router allows unauthenticated attackers with network access to take over the router. This easily exploitable issue could impact the confidentiality, integrity, and availability of the router and its managed services. Confirming if MySQL Router is in use is essential.

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

MySQL Router is a middleware component designed to route traffic between applications and database servers. As a network-facing service intended to facilitate connectivity, it is commonly deployed in positions where it may be reachable over a network, and the vulnerability specifically allows for unauthenticated access via HTTP, which is often exposed in application infrastructure.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle's MySQL Router, a component that manages traffic between applications and database servers. This issue allows an attacker to potentially take full control of the router without needing any credentials, posing a significant risk to systems that rely on this service for database connectivity. The main concern is to determine if your environment utilizes this specific technology.

Unauthenticated attackers can take over MySQL Router.
Critical access control vulnerability for database traffic.
Confirm if MySQL Router is used in your systems.

Attack Path

How an attacker could exploit the issue

An attacker can compromise MySQL Router by reaching it over the network via HTTP. This unauthenticated access allows them to take control of the router.

Attacker needs network access.
Vulnerability triggered via HTTP.
Complete takeover of the router.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could impact MySQL Router, potentially leading to a complete takeover of the service when exploited. An unauthenticated attacker with network access can exploit this easily. This could affect the confidentiality, integrity, and availability of the MySQL Router and any services it manages.

Compromised MySQL Router service.
Network-accessible through HTTP.
Full takeover of the router.

Operational Fix

Recommended remediation, mitigation, and detection steps

The MySQL Router product is likely managed by infrastructure, platform, or database administration teams responsible for application connectivity. The initial step is to locate all instances of MySQL Router, assess their network exposure and criticality, and identify the accountable owners before planning remediation.

Infrastructure or platform teams should own.
Verify network exposure and business criticality.
Plan remediation based on assessed risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-46860 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE affects MySQL Router and allows unauthenticated network attackers to compromise the system, which is a type of vulnerability that typically causes an ASV scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is MySQL Router?

MySQL Router is a middleware component from Oracle designed to manage and route traffic between client applications and MySQL database servers. It serves as a connectivity layer, ensuring that requests from applications are directed to the correct database instances, which is essential for maintaining scalable and reliable database infrastructures.

What does CVE-2026-46860 mean for my systems?

This CVE describes a critical security flaw in the MySQL Router component. It allows an attacker to gain full control over the router without needing to provide any credentials. Because the router sits between applications and databases, a compromise here could allow an attacker to disrupt, intercept, or manipulate the traffic flowing to your databases, impacting their confidentiality, integrity, and availability.

How can an attacker trigger this vulnerability?

An attacker triggers this vulnerability by sending specific requests to the MySQL Router over a network using the HTTP protocol. Crucially, the attacker does not need any prior authentication or special permissions to interact with the service. The vulnerability is tied specifically to this HTTP-based communication; it is not triggered by internal database management tasks that do not involve this specific network interface.

Do I need to worry if my MySQL Router is internal?

Yes, you should still evaluate the risk. According to Halo Surface Signal, MySQL Router is frequently deployed as a network-facing service to facilitate connectivity. Even if you consider it internal, any network segment that can reach the router's HTTP interface could be used by an attacker to exploit this issue. You should verify if the service is reachable from any unauthorized segments or broad network areas.

What steps should I take if I run MySQL Router?

First, conduct an inventory to identify all systems running MySQL Router versions 9.0.0 through 9.7.0. Once identified, work with your infrastructure or database teams to assess the network exposure of these instances. Prioritize limiting access to the HTTP interface as a temporary measure while you coordinate with your team to review official security updates and plan the necessary remediation steps.

References

www.oracle.com/security-alerts/cspujun2026.html

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.