Description
Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet). Supported versions that are affected are 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.6.27.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 accessible data as well as unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hospitality OPERA 5. CVSS 3.1 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).
Published: 2026-01-20
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Unauthorized Access to Data and Partial Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the Opera Servlet component of Oracle Hospitality OPERA 5 and permits an unauthenticated attacker with network access over HTTP to obtain confidential data, modify or delete data, and trigger a partial denial of service. The weakness can lead to high confidentiality impact, low to moderate integrity impact, and low availability impact, consistent with a CVSS v3.1 score of 8.6.

Affected Systems

Oracle Hospitality OPERA 5, with affected releases 5.6.19.23, 5.6.25.17, 5.6.26.10, and 5.6.27.4.

Risk and Exploitability

The CVSS score indicates a high severity vulnerability. The EPSS score of <1% suggests a low likelihood of exploitation under current conditions, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be network-based, relying on HTTP, and requires no authentication, making it easily exploitable for remote attackers.

Generated by OpenCVE AI on April 18, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-released patch for Oracle Hospitality OPERA 5 when it becomes available.
  • Restrict HTTP access to the OPERA 5 web interface by permitting only trusted IP ranges or by placing the application behind a VPN or firewall.
  • Disable or secure any unnecessary administrative endpoints exposed by the Opera Servlet.
  • Monitor logs for unexpected database access attempts or repeated failed requests that could indicate exploitation attempts.
  • If no patch or fix is currently available, isolate the OPERA 5 instance from public networks and enforce strong authentication mechanisms such as dedicated access control lists or multi‑factor authentication.

Generated by OpenCVE AI on April 18, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Access and Partial DoS via Opera Servlet

Thu, 29 Jan 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Wed, 21 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet). Supported versions that are affected are 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.6.27.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 accessible data as well as unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hospitality OPERA 5. CVSS 3.1 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).
First Time appeared Oracle
Oracle hospitality Opera 5
CPEs cpe:2.3:a:oracle:hospitality_opera_5:5.6.19.23:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_opera_5:5.6.25.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_opera_5:5.6.26.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_opera_5:5.6.27.4:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle hospitality Opera 5
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

Oracle Hospitality Opera 5
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T19:32:12.949Z

Reserved: 2026-01-05T18:07:34.714Z

Link: CVE-2026-21967

cve-icon Vulnrichment

Updated: 2026-01-21T19:31:08.759Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:15:59.733

Modified: 2026-01-29T14:48:41.807

Link: CVE-2026-21967

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses