Description
Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L).
Published: 2026-05-28
Score: 7.9 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Oracle REST Data Services allows a low‑privileged attacker with network access over HTTPS to influence the system, provided that a non‑attacker user interacts with the application. The flaw permits unauthorized creation, deletion, or modification of critical data and offers complete read access to all data exposed through the service. Additionally, an attacker can partially deny service to legitimate users. This combination of confidentiality, integrity, and availability violations yields a CVSS 3.1 base score of 7.9 (C:H, I:H, A:L).

Affected Systems

Affected products are Oracle REST Data Services offered by Oracle Corporation. Versions from 24.2.0 through 26.1.0 are vulnerable. The impact extends beyond the REST service, as a scope change in the CVSS vector indicates that exploitation may affect additional Oracle products that interact with the REST layer. The vulnerability is exploitable via HTTPS over the network.

Risk and Exploitability

The CVSS score reflects high confidentiality and integrity risk, but a low availability impact. EPSS is not provided, suggesting insufficient data on exploitation frequency; however, the user interaction requirement means that attackers would likely need to luring or abusing system users, which reduces the likelihood of widespread exploitation. KEV does not list this issue, so there is no evidence of active exploitation at this time. Nevertheless, given the potential for data loss and disruption to critical services, the vulnerability warrants prompt attention.

Generated by OpenCVE AI on May 28, 2026 at 21:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle REST Data Services patch or upgrade to a version newer than 26.1.0 that contains the fix.
  • Restrict network access to the REST endpoint by placing it behind a firewall or VPN and limiting exposure to trusted IP ranges.
  • Enforce strict authentication and limit user privileges, removing rights that are not required to use the REST API.
  • Monitor REST service logs for suspicious activity and enable alerting for unauthorized data manipulation attempts.

Generated by OpenCVE AI on May 28, 2026 at 21:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Modification and Partial Denial of Service in Oracle REST Data Services via HTTPS
Weaknesses CWE-284

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L).
First Time appeared Oracle
Oracle rest Data Services
CPEs cpe:2.3:a:oracle:rest_data_services:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle rest Data Services
References
Metrics cvssV3_1

{'score': 7.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L'}

Subscriptions

Oracle Rest Data Services
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-05-29T16:47:13.650Z

Reserved: 2026-04-01T20:03:40.835Z

Link: CVE-2026-35266

cve-icon Vulnrichment

Updated: 2026-05-29T16:45:49.567Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T21:16:29.330

Modified: 2026-05-29T18:17:08.850

Link: CVE-2026-35266

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T21:45:27Z

Weaknesses