Skip to main content

Oracle REST Data Services EUVDEUVD-2026-33019

| CVE-2026-46841 MEDIUM
Information Exposure (CWE-200)
2026-05-28 oracle GHSA-q9f9-wq59-8f2q
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:31 vuln.today

DescriptionCVE.org

Vulnerability in Oracle REST Data Services (component: General). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

AnalysisAI

Unauthorized read access in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated remote attackers to bypass authentication controls via HTTPS and retrieve a subset of accessible data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no special conditions are needed - any network-reachable instance is potentially exploitable without credentials. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS data was not available in the provided intelligence, limiting exploitation urgency assessment.

Technical ContextAI

Oracle REST Data Services (ORDS) is an Oracle-developed middleware layer that exposes RESTful HTTP/HTTPS APIs over Oracle Database, commonly used for Application Express (APEX), database-driven REST endpoints, and Oracle Cloud integrations. The affected component is tagged 'General,' indicating the vulnerability resides in core ORDS request handling rather than a specific module. The 'Authentication Bypass' tag suggests an improper access control or authentication verification flaw - likely a case where certain HTTPS endpoint paths or API routes fail to enforce authentication before returning data. Formal CWE classification was not assigned (listed as N/A) in the available data, preventing precise root-cause categorization (e.g., CWE-287 Improper Authentication or CWE-863 Incorrect Authorization). The CPE cpe:2.3:a:oracle_corporation:oracle_rest_data_services:*:*:*:*:*:*:*:* covers all editions of the affected product across the version range 24.2.0-26.1.0.

RemediationAI

Apply Oracle's Critical Security Patch Update released in May 2026 by consulting the official advisory at https://www.oracle.com/security-alerts/cspumay2026.html for the specific patched ORDS version - the exact fix version number is not independently specified in the available intelligence and should be confirmed directly from the Oracle CPU documentation before deployment. Oracle CPUs are cumulative, so upgrading to the version recommended in the advisory will address this and co-disclosed vulnerabilities. As a compensating control if immediate patching is not feasible, restrict network-level HTTPS access to ORDS endpoints using firewall rules or load balancer ACLs to limit exposure to trusted source IP ranges only - noting that this does not fix the underlying authentication bypass but reduces the attacker pool. Additionally, review ORDS audit and access logs for anomalous unauthenticated requests to sensitive endpoints as a detection measure during the remediation window. Organizations running ORDS in publicly internet-exposed configurations should treat this as a higher-priority patch given the zero-authentication-required exploit path.

Share

EUVD-2026-33019 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy