Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
AnalysisAI
Unauthenticated network-based data integrity compromise in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows remote attackers to perform unauthorized insert, update, or delete operations against accessible ORDS data via HTTPS. The vulnerability resides in the Core component and is classified as an Authentication Bypass, meaning the access control enforcement in ORDS's request pipeline can be circumvented without credentials. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the exploit path is straightforward for any network-adjacent attacker.
Technical ContextAI
Oracle REST Data Services (ORDS) is Oracle's RESTful web service layer that exposes Oracle Database objects - tables, views, stored procedures - over HTTP/HTTPS. It is commonly deployed to enable database access for web applications, mobile clients, and API consumers. The affected component is 'Core,' which governs the fundamental request-handling and authentication enforcement pipeline. The vulnerability tag 'Authentication Bypass' indicates that the Core component fails to properly enforce authentication checks under certain conditions, allowing unauthenticated HTTP requests to perform data-modifying operations (DML: INSERT, UPDATE, DELETE). The CPE cpe:2.3:a:oracle_corporation:oracle_rest_data_services:*:*:*:*:*:*:*:* covers all subversions in the affected range 24.2.0-26.1.0. CWE is listed as N/A by the reporter, which limits root-cause classification; however, the Authentication Bypass tag is consistent with CWE-287 (Improper Authentication) or CWE-306 (Missing Authentication for Critical Function).
RemediationAI
Apply the patch provided in Oracle's Critical Patch Update (CPU) for May 2026, available at https://www.oracle.com/security-alerts/cspumay2026.html. Oracle CPU advisories typically include updated ORDS release packages; administrators should consult the advisory for the exact patched version number, as no specific fix version was enumerated in the available data. As a compensating control prior to patching, consider restricting network access to ORDS endpoints using perimeter firewall rules or reverse proxy access controls to limit exposure to trusted IP ranges only - note that this does not fix the underlying bypass but reduces the attacker pool. Additionally, review ORDS REST-enabled schemas and consider temporarily disabling write-capable REST endpoints (AutoREST or explicitly defined POST/PUT/DELETE handlers) on non-essential objects until the patch is applied; this limits the blast radius of unauthorized write operations at the cost of reduced API functionality.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33020
GHSA-rhq4-mw8x-m742