Skip to main content

Oracle REST Data Services EUVDEUVD-2026-33039

| CVE-2026-46775 CRITICAL
Improper Access Control (CWE-284)
2026-05-28 oracle GHSA-v3pj-p78r-2j24
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:28 vuln.today

DescriptionCVE.org

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by a low-privileged remote attacker over HTTPS, with scope-changed impact extending to additional Oracle products beyond ORDS itself. Oracle rates this 9.9 CVSS due to the combination of low attack complexity, minimal privilege requirement, and full confidentiality/integrity/availability compromise; no public exploit identified at time of analysis, but the easy exploitability noted in Oracle's advisory makes this a high-priority patch target.

Technical ContextAI

Oracle REST Data Services is a Java-based mid-tier application that exposes Oracle Database objects (tables, views, PL/SQL) as RESTful web services over HTTPS, typically deployed on WebLogic, Tomcat, or standalone Jetty. The vulnerability resides in the ORDS Core component, which handles request routing, authentication, and SQL execution mapping. Because the CVSS vector reports S:C (scope change), the flaw allows the attacker to break out of ORDS's security authority and impact resources managed by other components - almost certainly the backing Oracle Database or adjacent middleware accessed via the ORDS service account. No CWE was assigned by Oracle, which is typical for Oracle CPU advisories; the root cause class (e.g., authorization bypass, injection, deserialization) is not publicly disclosed.

RemediationAI

Apply the Oracle Critical Patch Update from May 2026 as documented at https://www.oracle.com/security-alerts/cspumay2026.html; Patch available per vendor advisory, with the specific fixed ORDS release identified in that CPU bulletin (consult Oracle Support note for the exact post-26.1.0 build). Until the patch is deployed, restrict ORDS exposure by placing it behind a reverse proxy or WAF that enforces strict allow-listing of REST endpoints, disable any modules and schemas not actively in use via the ORDS configuration (ords config set), and audit/revoke ORDS database roles granted to low-privileged or self-service accounts since PR:L exploitation hinges on such accounts existing - note that tightening these roles may break legitimate APEX or REST-enabled application workflows. Monitor ORDS access logs and the backing database audit trail for anomalous PL/SQL invocations or schema enumeration originating from ORDS-mapped sessions.

Share

EUVD-2026-33039 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy