Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in Oracle REST Data Services (component: General). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
AnalysisAI
Unauthorized read access in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated remote attackers to bypass authentication controls via HTTPS and retrieve a subset of accessible data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no special conditions are needed - any network-reachable instance is potentially exploitable without credentials. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS data was not available in the provided intelligence, limiting exploitation urgency assessment.
Technical ContextAI
Oracle REST Data Services (ORDS) is an Oracle-developed middleware layer that exposes RESTful HTTP/HTTPS APIs over Oracle Database, commonly used for Application Express (APEX), database-driven REST endpoints, and Oracle Cloud integrations. The affected component is tagged 'General,' indicating the vulnerability resides in core ORDS request handling rather than a specific module. The 'Authentication Bypass' tag suggests an improper access control or authentication verification flaw - likely a case where certain HTTPS endpoint paths or API routes fail to enforce authentication before returning data. Formal CWE classification was not assigned (listed as N/A) in the available data, preventing precise root-cause categorization (e.g., CWE-287 Improper Authentication or CWE-863 Incorrect Authorization). The CPE cpe:2.3:a:oracle_corporation:oracle_rest_data_services:*:*:*:*:*:*:*:* covers all editions of the affected product across the version range 24.2.0-26.1.0.
RemediationAI
Apply Oracle's Critical Security Patch Update released in May 2026 by consulting the official advisory at https://www.oracle.com/security-alerts/cspumay2026.html for the specific patched ORDS version - the exact fix version number is not independently specified in the available intelligence and should be confirmed directly from the Oracle CPU documentation before deployment. Oracle CPUs are cumulative, so upgrading to the version recommended in the advisory will address this and co-disclosed vulnerabilities. As a compensating control if immediate patching is not feasible, restrict network-level HTTPS access to ORDS endpoints using firewall rules or load balancer ACLs to limit exposure to trusted source IP ranges only - noting that this does not fix the underlying authentication bypass but reduces the attacker pool. Additionally, review ORDS audit and access logs for anomalous unauthenticated requests to sensitive endpoints as a detection measure during the remediation window. Organizations running ORDS in publicly internet-exposed configurations should treat this as a higher-priority patch given the zero-authentication-required exploit path.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33019
GHSA-q9f9-wq59-8f2q