Skip to main content

Oracle Hospitality OPERA 5 EUVDEUVD-2026-33036

| CVE-2026-34311 CRITICAL
2026-05-28 oracle GHSA-g89r-3vv2-wxjx
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:29 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6 and 5.6.28. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality OPERA 5 Property Services. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle Hospitality OPERA 5 Property Services (versions 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6, and 5.6.28) is achievable by unauthenticated network attackers over HTTP, per Oracle's May 2026 CPU. With CVSS 9.8 and full CIA impact, this is a critical hospitality-sector exposure, though no public exploit is identified at time of analysis and KEV status is not present. EPSS data was not supplied, so probability-of-exploitation cannot be quantified.

Technical ContextAI

OPERA 5 Property Services is Oracle Hospitality's on-premises property management system (PMS) widely deployed by hotels and hospitality operators to manage reservations, guest profiles, billing, and front-desk operations, identified by CPE cpe:2.3:a:oracle_corporation:oracle_hospitality_opera_5_property_services. The advisory does not assign a CWE, but the combination of network-reachable HTTP attack surface, lack of authentication, and 'takeover' outcome typically corresponds to weaknesses such as authentication bypass, deserialization, or injection in the application's web tier. Because OPERA exposes management and integration interfaces over HTTP, any input-handling defect in those endpoints can translate directly into full service compromise.

RemediationAI

Apply the fixes delivered in Oracle's May 2026 Critical Patch Update for Oracle Hospitality Applications, documented at https://www.oracle.com/security-alerts/cspumay2026.html; exact patched build numbers are listed in that advisory and should be cited directly from it rather than inferred. Until patching is complete, restrict network reachability of OPERA 5 Property Services HTTP endpoints to trusted management VLANs and front-desk subnets via firewall ACLs, place the service behind an authenticating reverse proxy or VPN, and enable WAF rules in front of the OPERA web tier - noting that filtering may break legitimate integrations with PMS connectors, channel managers, and POS systems, so test integration paths after enabling controls. Monitor HTTP access logs for unauthenticated requests to administrative or integration URIs as a detection compensator.

Share

EUVD-2026-33036 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy