CVE-2026-35277 - Vulnerability Details

- Oracle REST Data Services Unauthorized Data Modification via HTTPS

Description

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Published: 2026-05-28

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Vulnerability in the core component of Oracle REST Data Services allows a low‑privileged attacker with network reach to HTTPS endpoints to create, delete, or modify critical data. Exploitation results in the attacker gaining unauthorized access to all data exposed by the service, potentially compromising confidentiality and integrity. This flaw stems from inadequate access control in the REST API and is referenced as CWE‑284 and CWE‑285.

Affected Systems

Oracle REST Data Services (ORDS), versions 24.2.0 through 26.1.0, are affected. The issue is present in the core component, which is part of the default distribution. Users should verify their installation version against the range and plan an upgrade.

Risk and Exploitability

The CVSS 3.1 base score for this vulnerability is 8.1, indicating a high severity with significant confidentiality and integrity impacts. EPSS data is not available, and the vulnerability is not currently listed in CISA's KEV catalog. An attacker can reach the affected endpoints simply over HTTPS, a standard network interface, so the attack vector is readily exploitable by anyone that can reach the service from the network. Because the impact extends to any data accessible via ORDS, the risk to organizations is substantial.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle REST Data Services

affected

Version	Status	Constraints
`24.2.0`	affected	≤ 26.1.0

No data.

Vendor Product Confidence Versions

Oracle

Rest Data Services

95%

Version	Status	Scheme	Platform
`[24.2.0,26.1.0]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Oracle REST Data Services to a version later than 26.1.0 that contains the security fix.
If an immediate upgrade is not possible, limit external network access to the ORDS instance to trusted hosts only and enforce network segmentation.
Apply all supplemental security hardening guidelines published by Oracle for ORDS, including disabling unused endpoints and ensuring proper authentication is enforced.

Generated by OpenCVE AI on May 28, 2026 at 21:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.oracle.com/security-alerts/cspumay2026.html

History

Fri, 29 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 28 May 2026 22:00:00 +0000

Type	Values Removed	Values Added
Title		Oracle REST Data Services Unauthorized Data Modification via HTTPS
Weaknesses		CWE-284 CWE-285

Thu, 28 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
First Time appeared		Oracle Oracle rest Data Services
CPEs		cpe:2.3:a:oracle:rest_data_services::::::::
Vendors & Products		Oracle Oracle rest Data Services
References		https://www.oracle.com/security-alerts/cspumay2026.html
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Oracle Rest Data Services

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-05-28T20:17:10.184Z

Updated: 2026-05-29T16:47:10.154Z

Reserved: 2026-04-01T20:03:40.835Z

Link: CVE-2026-35277

Vulnrichment

Updated: 2026-05-29T16:45:11.331Z

NVD

Status : Undergoing Analysis

Published: 2026-05-28T21:16:29.460

Modified: 2026-05-29T18:17:09.007

Link: CVE-2026-35277

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T21:45:27Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object