External risk intelligence

MySQL NDB Cluster Operator Unauthorized Data Access Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-46861

A vulnerability in Oracle MySQL NDB Cluster's NDB Operator component could allow a low-privileged attacker with network access to compromise the cluster. Successful exploitation may result in unauthorized access, modification, or deletion of critical data, with potential impact on other products. Uncertainty exists reg

3Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-46861

The vulnerability affects the NDB Operator for MySQL NDB Cluster. While the HTTP network access is mentioned, such management operators are typically intended for internal administrative use within Kubernetes or cluster environments rather than being exposed directly to the public internet.

PCI scan relevance

PCI Relevance for CVE-2026-46861

Yes

CVE-2026-46861 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthorized access and modification of critical data, which is a common cause for failing PCI scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in Oracle MySQL's NDB Cluster component, specifically affecting the NDB Operator. This issue, if exploited, could allow unauthorized access to and modification of critical data within the MySQL NDB Cluster, potentially impacting other connected products.

  • Unauthorized data access and modification possible.
  • Affects a core database clustering component.
  • Confirm relevance and assess potential data exposure.

Attack Path

How an attacker could exploit the issue

An attacker with network access and low privileges can reach the MySQL NDB Operator, a component of MySQL NDB Cluster. By interacting with this component, an attacker can compromise the cluster, potentially leading to unauthorized access, modification, or deletion of critical data. The impact may extend to other products due to a scope change.

  • Requires network access.
  • Triggers via the NDB Operator.
  • Risk of data compromise.

Live Threat

Current exploitation, exposure, and threat context

A low-privileged attacker with network access via HTTP could potentially compromise the MySQL NDB Cluster. This could lead to unauthorized modifications or complete access to critical or all accessible data within the cluster, and may impact additional products outside of the immediate MySQL NDB Cluster.

  • Critical data in MySQL NDB Cluster.
  • Network access via HTTP.
  • Unauthorized data access or modification.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Oracle MySQL NDB Cluster, specifically the NDB Operator component, likely falls under the purview of database administration teams, platform engineering, or DevOps responsible for managing the MySQL NDB Cluster environment. The first practical step is to identify all instances of the affected MySQL NDB Cluster product, determine their exposure and criticality, and locate the accountable system owner before planning remediation.

  • Database and platform teams own this issue.
  • Verify NDB Cluster exposure and criticality first.
  • Plan remediation based on confirmed risk.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the MySQL NDB Operator?

The MySQL NDB Operator is a software component designed to automate the management and lifecycle of MySQL NDB Cluster deployments within environments like Kubernetes. It helps administrators handle tasks such as scaling, upgrades, and configuration. Because it acts as a central control point for the cluster, any weakness in the operator can directly affect the security and operation of the entire database cluster it manages.

What does CWE-284 mean for CVE-2026-46861?

CWE-284 refers to Improper Access Control. In the context of this vulnerability, it means the NDB Operator fails to correctly verify the permissions of users attempting to interact with it via HTTP. Because this control is insufficient, an attacker with low-level privileges can bypass intended security boundaries to perform unauthorized actions, such as viewing, altering, or deleting critical data managed by the NDB Cluster.

How is this vulnerability triggered?

The vulnerability is triggered when an attacker with network connectivity sends specific HTTP requests to the affected NDB Operator. It is important to note that this is not triggered by standard database queries or normal user traffic within the application layer; rather, it requires an attacker to interact directly with the management interface of the operator component itself.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal suggests that while the vulnerability is critical, the risk often depends on how you host your NDB Operator. Since these operators are typically designed for internal administrative use within private cluster environments, they should not be directly reachable from the public internet. If your management interfaces are restricted to internal networks, the likelihood of an external attacker reaching the component is significantly lower.

What should I do if I run MySQL NDB Cluster?

First, identify all instances of the NDB Operator within your infrastructure. Once located, verify their network accessibility to ensure they are not exposed to the public internet or untrusted segments. Work with your platform engineering or DevOps teams to assess the criticality of these clusters and prepare for updates provided by Oracle, as this vulnerability requires an administrative update to remediate.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished