Security Advisory - Published 2026-06-18 - MySQL / Oracle CPU

MySQL June 2026 CPU: check Router, Shell for VS Code, and NDB Operator

This group covers critical MySQL items from Oracle's June 2026 Critical Patch Update. Treat developer extensions, routing middleware, and Kubernetes operators as part of the database attack surface.

Defensive scope: this page focuses on inventory, patch state, logs, and credential review for owned database environments and approved admin work.

Owner self-check

mysqlrouter --version 2>/dev/null
mysqlsh --version 2>/dev/null
kubectl get pods,deployments -A | grep -i 'mysql\\|ndb'
kubectl get crd 2>/dev/null | grep -i ndb
grep -R "mysqlrouter\\|mysqlsh\\|ndb" /etc /opt ~/.vscode/extensions 2>/dev/null | head -120

What to review

  • MySQL Router versions in edge, app, and internal service networks.
  • MySQL Shell for VS Code installs on admin workstations and jump hosts.
  • NDB Cluster Operator deployments, service accounts, namespaces, and RBAC bindings.
  • Saved database connection profiles, tokens, service users, and recent failed connections.

Safe fix path

  1. Apply the Oracle June 2026 CPU updates for affected MySQL components.
  2. Patch routers and operators before rotating database credentials, unless active compromise is suspected.
  3. Remove old VS Code extensions from admin machines after updating.
  4. Review database, router, Kubernetes audit, and workstation logs for unusual access.

Repair help

Use Ping7 CVE Repair if MySQL Router is public, NDB Operator has broad Kubernetes permissions, or admin workstation extension state is unclear.

References