Skip to main content

Oracle REST Data Services EUVDEUVD-2026-33052

| CVE-2026-46830 MEDIUM
Information Exposure (CWE-200)
2026-05-28 oracle GHSA-4c89-qj95-32wv
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:31 vuln.today

DescriptionCVE.org

Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

AnalysisAI

Unauthorized read access in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by unauthenticated remote attackers via the Mongoapi component over HTTPS. The vulnerability is tagged as an Authentication Bypass, indicating the Mongoapi endpoint fails to enforce access controls, exposing a subset of data accessible through that interface. No public exploit code and no CISA KEV listing exist at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms low-complexity, zero-authentication exploitation is feasible at scale.

Technical ContextAI

Oracle REST Data Services (ORDS) is Oracle's middleware layer that exposes Oracle Database content via RESTful APIs. The affected component, Mongoapi, provides a MongoDB-compatible API interface on top of Oracle Database, allowing clients that speak the MongoDB wire protocol or REST conventions to interact with Oracle data. The CPE string cpe:2.3:a:oracle_corporation:oracle_rest_data_services:*:*:*:*:*:*:*:* confirms Oracle Corporation as the vendor and ORDS as the product. The CWE is not formally assigned in available data, but the 'Authentication Bypass' tag strongly suggests the Mongoapi endpoint lacks proper authentication enforcement - meaning requests that should require credentials are processed without validating identity. The attack surface is the HTTPS-accessible Mongoapi endpoint, making any internet- or network-exposed ORDS deployment within the affected version range potentially vulnerable.

RemediationAI

Apply the patches distributed as part of Oracle's Critical Patch Update for May 2026, available at https://www.oracle.com/security-alerts/cspumay2026.html. The advisory does not specify an exact fixed version number in the data available for this analysis - the precise target upgrade version must be confirmed from the Oracle advisory or Oracle Support directly. As an immediate compensating control, organizations should restrict network access to the ORDS Mongoapi endpoint using firewall rules or network segmentation to limit exposure to trusted clients only, noting this does not remediate the authentication bypass but reduces the attack surface. If the Mongoapi component is not operationally required, disabling it entirely removes the attack surface with no functional impact to standard ORDS REST API usage. Organizations should also audit ORDS access logs for anomalous unauthenticated HTTPS requests to Mongoapi paths as a detection measure.

Share

EUVD-2026-33052 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy