Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
AnalysisAI
Unauthorized read access in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by unauthenticated remote attackers via the Mongoapi component over HTTPS. The vulnerability is tagged as an Authentication Bypass, indicating the Mongoapi endpoint fails to enforce access controls, exposing a subset of data accessible through that interface. No public exploit code and no CISA KEV listing exist at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms low-complexity, zero-authentication exploitation is feasible at scale.
Technical ContextAI
Oracle REST Data Services (ORDS) is Oracle's middleware layer that exposes Oracle Database content via RESTful APIs. The affected component, Mongoapi, provides a MongoDB-compatible API interface on top of Oracle Database, allowing clients that speak the MongoDB wire protocol or REST conventions to interact with Oracle data. The CPE string cpe:2.3:a:oracle_corporation:oracle_rest_data_services:*:*:*:*:*:*:*:* confirms Oracle Corporation as the vendor and ORDS as the product. The CWE is not formally assigned in available data, but the 'Authentication Bypass' tag strongly suggests the Mongoapi endpoint lacks proper authentication enforcement - meaning requests that should require credentials are processed without validating identity. The attack surface is the HTTPS-accessible Mongoapi endpoint, making any internet- or network-exposed ORDS deployment within the affected version range potentially vulnerable.
RemediationAI
Apply the patches distributed as part of Oracle's Critical Patch Update for May 2026, available at https://www.oracle.com/security-alerts/cspumay2026.html. The advisory does not specify an exact fixed version number in the data available for this analysis - the precise target upgrade version must be confirmed from the Oracle advisory or Oracle Support directly. As an immediate compensating control, organizations should restrict network access to the ORDS Mongoapi endpoint using firewall rules or network segmentation to limit exposure to trusted clients only, noting this does not remediate the authentication bypass but reduces the attack surface. If the Mongoapi component is not operationally required, disabling it entirely removes the attack surface with no functional impact to standard ORDS REST API usage. Organizations should also audit ORDS access logs for anomalous unauthenticated HTTPS requests to Mongoapi paths as a detection measure.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33052
GHSA-4c89-qj95-32wv