Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
AnalysisAI
Remote denial-of-service in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated network attackers to cause a complete hang or repeatable crash of the service via the Mongoapi component over HTTPS. The vulnerability is rated CVSS 7.5 with availability-only impact and no public exploit identified at time of analysis, but the unauthenticated, low-complexity attack profile makes it operationally significant for any internet-exposed ORDS instance.
Technical ContextAI
Oracle REST Data Services is a Java-based middleware that exposes Oracle Database objects as RESTful endpoints, and ORDS includes a MongoDB API (SODA for REST / Mongoapi) compatibility layer that lets MongoDB clients interact with Oracle Database collections over HTTPS. The flaw resides in this Mongoapi component, which parses MongoDB wire-protocol or JSON request payloads; while Oracle does not publish a CWE, the availability-only impact (CWE-400 Uncontrolled Resource Consumption or CWE-835 Infinite Loop are typical root causes for this class) suggests malformed input causes the request handler to enter a non-terminating state or exhaust resources. The affected CPE confirms the scope is the Oracle Corporation ORDS product across the 24.2.0-26.1.0 range.
RemediationAI
Apply the patch available per vendor advisory by installing the fixed ORDS release distributed through Oracle CPU May 2026 (https://www.oracle.com/security-alerts/cspumay2026.html); Oracle's CPU notes should be consulted for the exact post-26.1.0 fixed build number, which is not independently confirmed in the source data. If immediate patching is not feasible, disable the Mongoapi/SODA-for-REST endpoint in ORDS configuration (mongo.enabled=false in ords config) to remove the vulnerable code path entirely - the trade-off is that MongoDB-protocol clients will lose access to Oracle collections - or place ORDS behind a reverse proxy/WAF that blocks requests to the /ords/.../mongo route from untrusted networks, accepting that this only narrows exposure rather than eliminating it.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33051
GHSA-qp7g-8wjq-92rc