Skip to main content

Oracle REST Data Services CVE-2026-46839

| EUVDEUVD-2026-33017 CRITICAL
Improper Access Control (CWE-284)
2026-05-28 oracle GHSA-4c2q-9g38-8v79
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:21 vuln.today

DescriptionCVE.org

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Privilege escalation to full takeover in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-privileged remote attacker over HTTPS to fully compromise the service and pivot into adjacent products via a CVSS scope change. CVSS 3.1 base score is 9.9 with attack complexity rated low, and no public exploit identified at time of analysis. The scope-change designation is the key differentiator - successful exploitation extends beyond ORDS itself into systems it fronts, most notably the backing Oracle Database.

Technical ContextAI

Oracle REST Data Services is a Java-based mid-tier that exposes Oracle Database objects as RESTful web services over HTTP/HTTPS, typically deployed in Tomcat, WebLogic, or standalone via Jetty. The CPE cpe:2.3:a:oracle_corporation:oracle_rest_data_services covers all 24.2.0-26.1.0 builds in the Core component. No CWE is assigned in the input, but the CVSS profile (PR:L, S:C, C:H/I:H/A:H) combined with ORDS's role as a database-facing REST gateway is consistent with an authorization or authentication-bypass class flaw in the Core request-handling pipeline that lets a low-privileged REST principal escalate to administrative control and reach the backing Oracle Database it proxies.

RemediationAI

Apply the fixes delivered in the Oracle Critical Patch Update of May 2026 as documented at https://www.oracle.com/security-alerts/cspumay2026.html; Patch available per vendor advisory, with the specific patched build to be selected from the CPU matrix for your installed 24.2.0-26.1.0 release. Until patching is possible, restrict network reachability of the ORDS listener to trusted application tiers via firewall or reverse-proxy ACLs, remove or disable unused REST-enabled schemas and modules to shrink the attack surface, and rotate or disable low-privileged ORDS accounts that are not actively required - accept that ACL restrictions will block legitimate REST consumers and that disabling modules will break any applications depending on them. Monitor ORDS access logs and database audit trails for unexpected privilege use from REST sessions, and review any ORDS administrator role grants for least-privilege compliance.

Share

CVE-2026-46839 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy