Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
AnalysisAI
Partial denial-of-service in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated remote attackers to degrade availability of the Core component via HTTPS. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the vulnerability is trivially reachable with no authentication, no user interaction, and no special conditions, making automated scanning and opportunistic exploitation straightforward despite the limited availability-only impact. No public exploit code and no CISA KEV listing have been identified at time of analysis, and Oracle disclosed this through its May 2026 Critical Patch Update.
Technical ContextAI
Oracle REST Data Services (ORDS) is Oracle's middleware layer that exposes database resources as RESTful web services over HTTPS, commonly deployed in front of Oracle Database and Autonomous Database environments. The affected component is 'Core', which handles foundational request processing. The CPE string (cpe:2.3:a:oracle_corporation:oracle_rest_data_services:*:*:*:*:*:*:*:*) confirms the vulnerability spans the entire product line across the listed version range. No CWE classification was provided by Oracle or NVD, which is consistent with Oracle's standard practice of withholding root-cause details; the partial availability impact (A:L in CVSS) and the lack of confidentiality or integrity impact (C:N/I:N) suggest the flaw likely involves resource exhaustion, malformed request handling, or an uncontrolled processing loop in the Core request pipeline rather than memory corruption or injection.
RemediationAI
Upgrade Oracle REST Data Services to a version beyond the affected range (24.2.0-26.1.0) per the Oracle Critical Patch Update for May 2026, available at https://www.oracle.com/security-alerts/cspumay2026.html. An exact fix version number is not specified in the provided intelligence data - consult the full CPU advisory and Oracle Support for the precise patched release applicable to your deployment. As a compensating control pending patching, restrict network access to ORDS HTTPS endpoints at the perimeter or load balancer layer to known, trusted client IP ranges; this directly counteracts the AV:N attack vector and eliminates remote exploitability for unauthorized sources, with the trade-off of potentially disrupting legitimate external API consumers. Rate-limiting inbound HTTPS connections to the ORDS listener can reduce the impact of any availability-targeted abuse without requiring a network block. Web Application Firewall (WAF) rules inspecting malformed or anomalous HTTPS request patterns toward ORDS endpoints may provide additional mitigation, though rule specificity is limited without a published CWE or request pattern for this vulnerability.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33021
GHSA-5g7w-gjx9-g73q