Security Advisory - Published 2026-06-18 - MySQL / Oracle CPU
MySQL June 2026 CPU: check Router, Shell for VS Code, and NDB Operator
This group covers critical MySQL items from Oracle's June 2026 Critical Patch Update. Treat developer extensions, routing middleware, and Kubernetes operators as part of the database attack surface.
Owner self-check
mysqlrouter --version 2>/dev/null
mysqlsh --version 2>/dev/null
kubectl get pods,deployments -A | grep -i 'mysql\\|ndb'
kubectl get crd 2>/dev/null | grep -i ndb
grep -R "mysqlrouter\\|mysqlsh\\|ndb" /etc /opt ~/.vscode/extensions 2>/dev/null | head -120 What to review
- MySQL Router versions in edge, app, and internal service networks.
- MySQL Shell for VS Code installs on admin workstations and jump hosts.
- NDB Cluster Operator deployments, service accounts, namespaces, and RBAC bindings.
- Saved database connection profiles, tokens, service users, and recent failed connections.
Safe fix path
- Apply the Oracle June 2026 CPU updates for affected MySQL components.
- Patch routers and operators before rotating database credentials, unless active compromise is suspected.
- Remove old VS Code extensions from admin machines after updating.
- Review database, router, Kubernetes audit, and workstation logs for unusual access.
Repair help
Use Ping7 CVE Repair if MySQL Router is public, NDB Operator has broad Kubernetes permissions, or admin workstation extension state is unclear.