A low‑privileged attacker with network access over HTTPS can influence Oracle REST Data Services, provided a user other than the attacker interacts with the application. The flaw, identified as CWE‑352 (Cross‑Site Request Forgery) and CWE‑400 (Uncontrolled Resource Consumption), permits unauthorized creation, deletion, or modification of critical data and grants full read access to all data exposed through the service. Additionally, the attacker can cause a partial denial of service by exhausting server resources. These vulnerabilities affect confidentiality, integrity, and availability with a CVSS 3.1 base score of 7.9.

Oracle REST Data Services supplied by Oracle Corporation is affected for versions 24.2.0 through 26.1.0. The vulnerability is exploitable over HTTPS across the network. The CVSS vector indicates a scope change, meaning exploitation may impact other Oracle products that interact with the REST layer.

The CVSS score reflects high confidentiality and integrity risk with a low availability impact, and the EPSS of <1% indicates a very low exploitation probability at present. The requirement for user interaction reduces the likelihood of widespread attacks, but the potential for data loss and service disruption warrants prompt action. The issue is not listed in the CISA KEV catalog, so no confirmed active exploitation is reported yet.