Description
Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-05-28
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability exists in the Core component of Oracle REST Data Services that is easily exploitable by a low privileged attacker who has network access to the service over HTTPS. Exploitation leads to full takeover of the REST service, resulting in complete compromise of confidentiality, integrity, and availability of the affected instance.

Affected Systems

Oracle REST Data Services versions 24.2.0 through 26.1.0 are affected. The vulnerability is specific to the Core component of the product.

Risk and Exploitability

The CVSS score is 9.9, indicating critical severity. The EPSS score of < 1% indicates an extremely low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is HTTPS, requiring only low privilege network access. The vulnerability can also affect additional products due to scope change. The overall risk is critical in terms of potential impact but low likelihood of exploitation at present.

Generated by OpenCVE AI on June 3, 2026 at 22:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oracle REST Data Services to the latest available version that includes the vendor patch for this vulnerability.
  • Restrict network access to the REST service by configuring firewall rules to allow HTTPS traffic only from trusted networks or hosts.
  • Enforce strict authentication and authorization controls on the REST endpoints to limit access to authorized users and prevent scope expansion to other products.

Generated by OpenCVE AI on June 3, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via HTTPS Leading to Full Compromise of Oracle REST Data Services

Wed, 03 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via HTTPS in Oracle REST Data Services (Core)
Weaknesses CWE-94

Wed, 03 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via HTTPS in Oracle REST Data Services (Core)
Weaknesses CWE-284
CWE-94

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle rest Data Services
CPEs cpe:2.3:a:oracle:rest_data_services:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle rest Data Services
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Oracle Rest Data Services
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-05-29T16:47:07.185Z

Reserved: 2026-05-18T15:55:10.297Z

Link: CVE-2026-46775

cve-icon Vulnrichment

Updated: 2026-05-29T16:44:35.502Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T21:16:31.383

Modified: 2026-06-03T18:35:51.033

Link: CVE-2026-46775

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T23:00:16Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-400

    Uncontrolled Resource Consumption