Skip to main content

Oracle REST Data Services EUVDEUVD-2026-33051

| CVE-2026-46829 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-28 oracle GHSA-qp7g-8wjq-92rc
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:23 vuln.today

DescriptionCVE.org

Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

AnalysisAI

Remote denial-of-service in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated network attackers to cause a complete hang or repeatable crash of the service via the Mongoapi component over HTTPS. The vulnerability is rated CVSS 7.5 with availability-only impact and no public exploit identified at time of analysis, but the unauthenticated, low-complexity attack profile makes it operationally significant for any internet-exposed ORDS instance.

Technical ContextAI

Oracle REST Data Services is a Java-based middleware that exposes Oracle Database objects as RESTful endpoints, and ORDS includes a MongoDB API (SODA for REST / Mongoapi) compatibility layer that lets MongoDB clients interact with Oracle Database collections over HTTPS. The flaw resides in this Mongoapi component, which parses MongoDB wire-protocol or JSON request payloads; while Oracle does not publish a CWE, the availability-only impact (CWE-400 Uncontrolled Resource Consumption or CWE-835 Infinite Loop are typical root causes for this class) suggests malformed input causes the request handler to enter a non-terminating state or exhaust resources. The affected CPE confirms the scope is the Oracle Corporation ORDS product across the 24.2.0-26.1.0 range.

RemediationAI

Apply the patch available per vendor advisory by installing the fixed ORDS release distributed through Oracle CPU May 2026 (https://www.oracle.com/security-alerts/cspumay2026.html); Oracle's CPU notes should be consulted for the exact post-26.1.0 fixed build number, which is not independently confirmed in the source data. If immediate patching is not feasible, disable the Mongoapi/SODA-for-REST endpoint in ORDS configuration (mongo.enabled=false in ords config) to remove the vulnerable code path entirely - the trade-off is that MongoDB-protocol clients will lose access to Oracle collections - or place ORDS behind a reverse proxy/WAF that blocks requests to the /ords/.../mongo route from untrusted networks, accepting that this only narrows exposure rather than eliminating it.

Share

EUVD-2026-33051 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy