Description
Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6 and 5.6.28. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality OPERA 5 Property Services. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-05-28
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Oracle Hospitality OPERA 5 Property Services contains an unauthenticated web‑interface vulnerability that permits any user with HTTP access to bypass all authentication controls and fully compromise the application. Rated 9.8 on the CVSS v3.1 scale, the flaw delivers catastrophic impacts on confidentiality, integrity, and availability of all property‑management data, enabling complete takeover of the OPERA server.

Affected Systems

Vendor: Oracle Corporation. Product: Oracle Hospitality OPERA 5 Property Services. Vulnerable versions: 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6, and 5.6.28.

Risk and Exploitability

The base CVSS score of 9.8 signals a critical threat affecting all CIA dimensions. An EPSS score of less than 1 % indicates that automated exploitation is statistically uncommon, and the vulnerability is not currently catalogued in the CISA KEV list. The flaw does not require any credentials and can be triggered by any host with network access to the exposed HTTP interface, making simple network segmentation or access control an effective mitigant if a patch is delayed.

Generated by OpenCVE AI on May 30, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle patch referenced in the 2026 security alert that addresses the OPERA 5 Property Services flaw for the affected versions.
  • Restrict HTTP traffic to the OPERA servers by configuring firewalls or network security groups to allow connections only from trusted internal networks or through a VPN tunnel.
  • If a patch is not immediately available, block the OPERA web port from all untrusted networks or place the service behind a reverse proxy that requires authentication before forwarding traffic to OPERA.

Generated by OpenCVE AI on May 30, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 23:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Remote Compromise in Oracle Hospitality OPERA 5 Property Services
Weaknesses CWE-284
CWE-285

Fri, 29 May 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Thu, 28 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Remote Compromise in Oracle Hospitality OPERA 5 Property Services
Weaknesses CWE-284
CWE-285

Thu, 28 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6 and 5.6.28. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality OPERA 5 Property Services. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle hospitality Opera 5 Property Services
CPEs cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.19.24:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.22:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.25.19:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.27.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.28:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle hospitality Opera 5 Property Services
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Hospitality Opera 5 Property Services
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-05-29T03:56:05.102Z

Reserved: 2026-03-26T19:48:45.680Z

Link: CVE-2026-34311

cve-icon Vulnrichment

Updated: 2026-05-28T20:49:28.280Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T21:16:29.180

Modified: 2026-05-29T21:14:30.070

Link: CVE-2026-34311

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T02:30:12Z

Weaknesses