Skip to main content

Oracle REST Data Services CVE-2026-35277

| EUVD-2026-33038 HIGH
2026-05-28 oracle GHSA-r62f-9j49-pfm3
Authentication Bypass Oracle Oracle Rest Data Services
8.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:28 vuln.today

DescriptionNVD

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

AnalysisAI

Unauthorized data access and modification in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows low-privileged remote attackers to read, create, modify, or delete any data accessible via the service. The flaw is network-reachable over HTTPS with low attack complexity (CVSS 8.1) and was disclosed by Oracle in the May 2026 Critical Patch Update. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

24 HOURS: Inventory all ORDS deployments and identify instances running versions 24.2.0-26.1.0 (query SELECT ords_version FROM ords_metadata or check admin console). Document HTTPS endpoint accessibility and database user privileges exposed via REST interfaces. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-46840 CRITICAL
10.0 May 28

Remote takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated attackers to c
CVE-2026-46775 CRITICAL
9.9 May 28

Takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by a low-privileged remote att
CVE-2026-46822 CRITICAL
9.9 May 28

Account takeover in Oracle iAssets (part of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privil
CVE-2026-46824 CRITICAL
9.9 May 28

Account takeover in Oracle Universal Work Queue (component: Work Provider Site Level Administration) within Oracle E-Bus
CVE-2026-46839 CRITICAL
9.9 May 28

Privilege escalation to full takeover in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-pr

Share

CVE-2026-35277 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy