Skip to main content

Oracle REST Data Services CVE-2026-46775

| EUVD-2026-33039 CRITICAL
2026-05-28 oracle GHSA-v3pj-p78r-2j24
Information Disclosure Oracle Oracle Rest Data Services
9.9
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:28 vuln.today

DescriptionNVD

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by a low-privileged remote attacker over HTTPS, with scope-changed impact extending to additional Oracle products beyond ORDS itself. Oracle rates this 9.9 CVSS due to the combination of low attack complexity, minimal privilege requirement, and full confidentiality/integrity/availability compromise; no public exploit identified at time of analysis, but the easy exploitability noted in Oracle's advisory makes this a high-priority patch target.

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Conduct inventory of all ORDS instances running versions 24.2.0-26.1.0 and document their network access paths and data connectivity. Within 7 days: Implement strict network access controls (IP whitelisting, WAF rules, firewall policies) limiting ORDS connections to necessary systems only; enable detailed audit logging on all ORDS instances. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-46840 CRITICAL
10.0 May 28

Remote takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated attackers to c
CVE-2026-46822 CRITICAL
9.9 May 28

Account takeover in Oracle iAssets (part of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privil
CVE-2026-46824 CRITICAL
9.9 May 28

Account takeover in Oracle Universal Work Queue (component: Work Provider Site Level Administration) within Oracle E-Bus
CVE-2026-46839 CRITICAL
9.9 May 28

Privilege escalation to full takeover in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-pr
CVE-2026-34311 CRITICAL
9.8 May 28

Remote takeover of Oracle Hospitality OPERA 5 Property Services (versions 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6, and 5.

Share

CVE-2026-46775 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy