Skip to main content

Oracle REST Data Services EUVDEUVD-2026-33038

| CVE-2026-35277 HIGH
Improper Access Control (CWE-284)
2026-05-28 oracle GHSA-r62f-9j49-pfm3
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:28 vuln.today

DescriptionCVE.org

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

AnalysisAI

Unauthorized data access and modification in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows low-privileged remote attackers to read, create, modify, or delete any data accessible via the service. The flaw is network-reachable over HTTPS with low attack complexity (CVSS 8.1) and was disclosed by Oracle in the May 2026 Critical Patch Update. No public exploit has been identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Technical ContextAI

Oracle REST Data Services is a Java-based middle-tier application that exposes Oracle Database objects as RESTful HTTP/HTTPS endpoints, commonly fronted by APEX or used to publish auto-REST and ORDS-defined modules. The CPE (cpe:2.3:a:oracle_corporation:oracle_rest_data_services) confirms the Core component is in scope. No CWE is assigned in the source data, but the tag 'Authentication Bypass' combined with the CVSS profile (PR:L, C:H/I:H, A:N) is consistent with an authorization/access-control flaw where an authenticated user can reach data or operations belonging to other ORDS tenants, schemas, or privileged endpoints rather than a memory-corruption or injection class bug.

RemediationAI

Patch available per vendor advisory - apply the fixed ORDS release listed in the Oracle Critical Patch Update of May 2026 (https://www.oracle.com/security-alerts/cspumay2026.html) covering versions 24.2.0 through 26.1.0. Until the upgrade can be deployed, restrict network reachability of the ORDS HTTPS listener to trusted client subnets via firewall or reverse proxy ACLs, disable or remove unused ORDS-enabled schemas and auto-REST exposure on sensitive tables to shrink the data-access surface, audit and rotate credentials for low-privileged ORDS/APEX accounts that an attacker could leverage to meet the PR:L precondition, and enable verbose ORDS access logging to detect anomalous cross-schema or privileged-endpoint requests. Note that ACL restrictions will break legitimate remote API consumers and disabling auto-REST may impact APEX-based applications relying on those endpoints.

Share

EUVD-2026-33038 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy