Skip to main content

Oracle REST Data Services CVE-2026-35266

| EUVDEUVD-2026-33037 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-28 oracle GHSA-g57p-44cp-pjf5
7.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.9 HIGH
AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:29 vuln.today

DescriptionCVE.org

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L).

AnalysisAI

Cross-product compromise in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-privileged remote attacker who can lure an authenticated user into interacting with a crafted request to gain high-impact read and write access to ORDS-accessible data and cause partial denial of service. Because the CVSS scope is Changed (S:C), successful exploitation may also impact downstream Oracle components beyond ORDS itself. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the 7.9 base score combined with scope change warrants prompt patching.

Technical ContextAI

Oracle REST Data Services is a Java-based mid-tier that exposes Oracle Database objects (tables, PL/SQL, JSON collections) as RESTful HTTPS endpoints, typically deployed in front of Oracle Database and Autonomous Database. The flaw resides in the ORDS Core component, which handles request routing, authentication context, and the bridge between HTTP sessions and database sessions - a layer where scope-changed vulnerabilities frequently arise because ORDS pivots an authenticated web request into privileged database operations. No CWE was assigned by the advisory, but the combination of tags (Authentication Bypass, Denial Of Service), required user interaction, and scope change is consistent with a session/authorization confusion or request-smuggling-style weakness that lets a low-privileged actor coerce a higher-privileged victim's context.

RemediationAI

Apply the patch shipped in Oracle's May 2026 Critical Patch Update as documented at https://www.oracle.com/security-alerts/cspumay2026.html; the advisory is the authoritative source for the exact fixed ORDS build number, which was not enumerated in the supplied intelligence data, so administrators must consult the CPU matrix for the specific post-26.1.0 patched release applicable to their version. Until the patch is deployed, restrict ORDS administrative and authoring endpoints (/ords/sql-developer, /ords/admin, custom-defined modules) to known-good source IPs at the load balancer or WAF, disable any ORDS schemas and roles that are not actively in use, and require strong session and CSRF protections on the front-end reverse proxy to blunt the UI:R interaction requirement - noting that WAF source restrictions may break legitimate developer tooling and SQL Developer Web access, so coordinate with database teams before enforcing. Rotate ORDS service account credentials after patching, as the scope-changed nature means database-side credentials may have been exposable.

Share

CVE-2026-35266 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy