Skip to main content

Oracle ORDS EUVDEUVD-2026-33020

| CVE-2026-46842 MEDIUM
Improper Access Control (CWE-284)
2026-05-28 oracle GHSA-rhq4-mw8x-m742
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:31 vuln.today

DescriptionCVE.org

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

AnalysisAI

Unauthenticated network-based data integrity compromise in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows remote attackers to perform unauthorized insert, update, or delete operations against accessible ORDS data via HTTPS. The vulnerability resides in the Core component and is classified as an Authentication Bypass, meaning the access control enforcement in ORDS's request pipeline can be circumvented without credentials. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the exploit path is straightforward for any network-adjacent attacker.

Technical ContextAI

Oracle REST Data Services (ORDS) is Oracle's RESTful web service layer that exposes Oracle Database objects - tables, views, stored procedures - over HTTP/HTTPS. It is commonly deployed to enable database access for web applications, mobile clients, and API consumers. The affected component is 'Core,' which governs the fundamental request-handling and authentication enforcement pipeline. The vulnerability tag 'Authentication Bypass' indicates that the Core component fails to properly enforce authentication checks under certain conditions, allowing unauthenticated HTTP requests to perform data-modifying operations (DML: INSERT, UPDATE, DELETE). The CPE cpe:2.3:a:oracle_corporation:oracle_rest_data_services:*:*:*:*:*:*:*:* covers all subversions in the affected range 24.2.0-26.1.0. CWE is listed as N/A by the reporter, which limits root-cause classification; however, the Authentication Bypass tag is consistent with CWE-287 (Improper Authentication) or CWE-306 (Missing Authentication for Critical Function).

RemediationAI

Apply the patch provided in Oracle's Critical Patch Update (CPU) for May 2026, available at https://www.oracle.com/security-alerts/cspumay2026.html. Oracle CPU advisories typically include updated ORDS release packages; administrators should consult the advisory for the exact patched version number, as no specific fix version was enumerated in the available data. As a compensating control prior to patching, consider restricting network access to ORDS endpoints using perimeter firewall rules or reverse proxy access controls to limit exposure to trusted IP ranges only - note that this does not fix the underlying bypass but reduces the attacker pool. Additionally, review ORDS REST-enabled schemas and consider temporarily disabling write-capable REST endpoints (AutoREST or explicitly defined POST/PUT/DELETE handlers) on non-essential objects until the patch is applied; this limits the blast radius of unauthorized write operations at the cost of reduced API functionality.

Share

EUVD-2026-33020 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy