Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by a low-privileged remote attacker over HTTPS, with scope-changed impact extending to additional Oracle products beyond ORDS itself. Oracle rates this 9.9 CVSS due to the combination of low attack complexity, minimal privilege requirement, and full confidentiality/integrity/availability compromise; no public exploit identified at time of analysis, but the easy exploitability noted in Oracle's advisory makes this a high-priority patch target.
Technical ContextAI
Oracle REST Data Services is a Java-based mid-tier application that exposes Oracle Database objects (tables, views, PL/SQL) as RESTful web services over HTTPS, typically deployed on WebLogic, Tomcat, or standalone Jetty. The vulnerability resides in the ORDS Core component, which handles request routing, authentication, and SQL execution mapping. Because the CVSS vector reports S:C (scope change), the flaw allows the attacker to break out of ORDS's security authority and impact resources managed by other components - almost certainly the backing Oracle Database or adjacent middleware accessed via the ORDS service account. No CWE was assigned by Oracle, which is typical for Oracle CPU advisories; the root cause class (e.g., authorization bypass, injection, deserialization) is not publicly disclosed.
RemediationAI
Apply the Oracle Critical Patch Update from May 2026 as documented at https://www.oracle.com/security-alerts/cspumay2026.html; Patch available per vendor advisory, with the specific fixed ORDS release identified in that CPU bulletin (consult Oracle Support note for the exact post-26.1.0 build). Until the patch is deployed, restrict ORDS exposure by placing it behind a reverse proxy or WAF that enforces strict allow-listing of REST endpoints, disable any modules and schemas not actively in use via the ORDS configuration (ords config set), and audit/revoke ORDS database roles granted to low-privileged or self-service accounts since PR:L exploitation hinges on such accounts existing - note that tightening these roles may break legitimate APEX or REST-enabled application workflows. Monitor ORDS access logs and the backing database audit trail for anomalous PL/SQL invocations or schema enumeration originating from ORDS-mapped sessions.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33039
GHSA-v3pj-p78r-2j24