Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated attackers to compromise the service over HTTPS and pivot into adjacent products due to a scope-changing flaw. With a maximum CVSS 10.0 score and trivial exploitability (AV:N/AC:L/PR:N/UI:N), this Backend-as-a-Service component vulnerability poses critical risk, though no public exploit identified at time of analysis and no EPSS or CISA KEV signal has been provided in the available data.
Technical ContextAI
Oracle REST Data Services is a Java-based middle-tier application (cpe:2.3:a:oracle_corporation:oracle_rest_data_services) that exposes Oracle Database objects, PL/SQL, and SODA collections as RESTful web services, commonly fronted by Tomcat, WebLogic, or a standalone Jetty instance. The flaw resides in the Backend-as-a-Service (BaaS) component, which auto-generates REST endpoints for database schemas and handles JSON document storage. No CWE has been assigned by Oracle's CPU notice, but the combination of unauthenticated network access, low complexity, full CIA impact, and a changed scope (S:C) is consistent with an authentication bypass or injection flaw in the REST request handling pipeline that allows the ORDS service principal to reach beyond its own security authority - typically into the back-end Oracle Database the service is provisioned against.
RemediationAI
Apply the fixes documented in Oracle's May 2026 Critical Patch Update at https://www.oracle.com/security-alerts/cspumay2026.html as soon as possible - exact post-26.1.0 fix versions are not enumerated in the provided data, so consult the CPU patch matrix for the build that corresponds to your ORDS deployment (patch available per vendor advisory). Until patching is complete, restrict network reachability to the ORDS listener by placing it behind an authenticating reverse proxy or WAF, blocking internet exposure of ORDS endpoints (commonly /ords/, /apex/, and any auto-generated BaaS module paths), and disabling unused BaaS-enabled schemas via ORDS.DISABLE_SCHEMA; note that disabling BaaS will break any applications consuming auto-REST and SODA endpoints. Audit database accounts mapped to ORDS_PUBLIC_USER and per-schema ORDS proxy users to enforce least privilege so that a service-level compromise has the smallest possible blast radius into the database.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33018
GHSA-2gr4-fx2q-v5vq