The vulnerability in Oracle Hospitality OPERA 5 Property Services permits an unauthenticated attacker with HTTP access to modify, insert, or delete data, as well as read restricted data. The flaw lies in missing or ineffective authorization controls, allowing unauthorized data operations that compromise confidentiality and integrity of hotel management information. Successful exploitation could alter booking records, customer details, or pricing, potentially disrupting operations and exposing sensitive information.

Oracle Hospitality OPERA 5 Property Services, versions 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.6.27.4. These deliverables are used by hotels and hospitality establishments to manage reservations and property services.

The CVSS 3.1 base score of 6.1 indicates a medium severity. The EPSS score is below 1 %, implying a very low but non‑zero probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attack requires an attacker to be on the same network as the OPERA server and to interact through HTTP; user interface interaction is necessary, suggesting the exploit must involve a user delivering a crafted HTTP request. Once activated, the attacker can abuse missing authorization to gain read or write access to a subset of the system’s data. The scope change indicates that impact may extend beyond the OPERA application to other integrated services.