Skip to main content

Oracle REST Data Services CVE-2026-46840

| EUVDEUVD-2026-33018 CRITICAL
Improper Access Control (CWE-284)
2026-05-28 oracle GHSA-2gr4-fx2q-v5vq
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:21 vuln.today

DescriptionCVE.org

Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated attackers to compromise the service over HTTPS and pivot into adjacent products due to a scope-changing flaw. With a maximum CVSS 10.0 score and trivial exploitability (AV:N/AC:L/PR:N/UI:N), this Backend-as-a-Service component vulnerability poses critical risk, though no public exploit identified at time of analysis and no EPSS or CISA KEV signal has been provided in the available data.

Technical ContextAI

Oracle REST Data Services is a Java-based middle-tier application (cpe:2.3:a:oracle_corporation:oracle_rest_data_services) that exposes Oracle Database objects, PL/SQL, and SODA collections as RESTful web services, commonly fronted by Tomcat, WebLogic, or a standalone Jetty instance. The flaw resides in the Backend-as-a-Service (BaaS) component, which auto-generates REST endpoints for database schemas and handles JSON document storage. No CWE has been assigned by Oracle's CPU notice, but the combination of unauthenticated network access, low complexity, full CIA impact, and a changed scope (S:C) is consistent with an authentication bypass or injection flaw in the REST request handling pipeline that allows the ORDS service principal to reach beyond its own security authority - typically into the back-end Oracle Database the service is provisioned against.

RemediationAI

Apply the fixes documented in Oracle's May 2026 Critical Patch Update at https://www.oracle.com/security-alerts/cspumay2026.html as soon as possible - exact post-26.1.0 fix versions are not enumerated in the provided data, so consult the CPU patch matrix for the build that corresponds to your ORDS deployment (patch available per vendor advisory). Until patching is complete, restrict network reachability to the ORDS listener by placing it behind an authenticating reverse proxy or WAF, blocking internet exposure of ORDS endpoints (commonly /ords/, /apex/, and any auto-generated BaaS module paths), and disabling unused BaaS-enabled schemas via ORDS.DISABLE_SCHEMA; note that disabling BaaS will break any applications consuming auto-REST and SODA endpoints. Audit database accounts mapped to ORDS_PUBLIC_USER and per-schema ORDS proxy users to enforce least privilege so that a service-level compromise has the smallest possible blast radius into the database.

Share

CVE-2026-46840 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy