Description
Vulnerability in the Oracle MCP Server Helper Tool product of Oracle Open Source Projects (component: helper tool). The supported versions that is affected is 1.0.1-1.0.156. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle MCP Server Helper Tool. Successful attacks of this vulnerability can result in Oracle MCP Server Helper Tool executing malicious SQL.
Published: 2026-05-05
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Oracle MCP Server Helper Tool is susceptible to a remote, unauthenticated flaw that allows attackers to inject and execute arbitrary SQL statements via HTTP requests. This type of vulnerability can facilitate unauthorized data disclosure, tampering, or potentially lead to remote code execution if the database server is compromised. The CVSS score of 8.7 indicates the high severity of the flaw as described in the vendor’s advisory.

Affected Systems

Affected installations are those of Oracle Corporation’s Oracle MCP Server Helper Tool from version 1.0.1 up through 1.0.156. Any instance of the helper tool running within the supported version range and exposed to an external network is susceptible.

Risk and Exploitability

The vulnerability is easily exploitable over a network using HTTP and requires no authentication. The EPSS score is not available, but a CVSS score of 8.7 reflects significant risk. It is not listed in CISA’s KEV catalog, indicating no publicly disclosed exploits yet; nevertheless, the high severity flag and unauthenticated nature mean the risk to exposed servers is substantial.

Generated by OpenCVE AI on May 5, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Oracle MCP Server Helper Tool to a version outside 1.0.1-1.0.156 or apply the latest patch once it becomes available
  • Restrict HTTP access to the helper tool service to trusted networks or disable the service if it is not needed
  • Monitor logs for suspicious SQL activity and anomalous HTTP requests to detect potential exploitation attempts

Generated by OpenCVE AI on May 5, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 05:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote SQL Injection in Oracle MCP Server Helper Tool
Weaknesses CWE-89

Tue, 05 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle MCP Server Helper Tool product of Oracle Open Source Projects (component: helper tool). The supported versions that is affected is 1.0.1-1.0.156. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle MCP Server Helper Tool. Successful attacks of this vulnerability can result in Oracle MCP Server Helper Tool executing malicious SQL.
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-05-05T03:24:59.554Z

Reserved: 2026-04-01T20:03:40.832Z

Link: CVE-2026-35228

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T04:16:16.530

Modified: 2026-05-05T04:16:16.530

Link: CVE-2026-35228

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T05:30:16Z

Weaknesses