Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6 and 5.6.28. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality OPERA 5 Property Services. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle Hospitality OPERA 5 Property Services (versions 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6, and 5.6.28) is achievable by unauthenticated network attackers over HTTP, per Oracle's May 2026 CPU. With CVSS 9.8 and full CIA impact, this is a critical hospitality-sector exposure, though no public exploit is identified at time of analysis and KEV status is not present. EPSS data was not supplied, so probability-of-exploitation cannot be quantified.
Technical ContextAI
OPERA 5 Property Services is Oracle Hospitality's on-premises property management system (PMS) widely deployed by hotels and hospitality operators to manage reservations, guest profiles, billing, and front-desk operations, identified by CPE cpe:2.3:a:oracle_corporation:oracle_hospitality_opera_5_property_services. The advisory does not assign a CWE, but the combination of network-reachable HTTP attack surface, lack of authentication, and 'takeover' outcome typically corresponds to weaknesses such as authentication bypass, deserialization, or injection in the application's web tier. Because OPERA exposes management and integration interfaces over HTTP, any input-handling defect in those endpoints can translate directly into full service compromise.
RemediationAI
Apply the fixes delivered in Oracle's May 2026 Critical Patch Update for Oracle Hospitality Applications, documented at https://www.oracle.com/security-alerts/cspumay2026.html; exact patched build numbers are listed in that advisory and should be cited directly from it rather than inferred. Until patching is complete, restrict network reachability of OPERA 5 Property Services HTTP endpoints to trusted management VLANs and front-desk subnets via firewall ACLs, place the service behind an authenticating reverse proxy or VPN, and enable WAF rules in front of the OPERA web tier - noting that filtering may break legitimate integrations with PMS connectors, channel managers, and POS systems, so test integration paths after enabling controls. Monitor HTTP access logs for unauthenticated requests to administrative or integration URIs as a detection compensator.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33036
GHSA-g89r-3vv2-wxjx