Description
Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-05-28
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability exists in the Core component of Oracle REST Data Services that is easily exploitable by a low privileged attacker who has network access to the service over HTTPS. Exploitation leads to full takeover of the REST service, resulting in complete compromise of confidentiality, integrity, and availability of the affected instance.

Affected Systems

Oracle REST Data Services versions 24.2.0 through 26.1.0 are affected. The vulnerability is specific to the Core component of the product.

Risk and Exploitability

The CVSS score is 9.9, indicating critical severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is HTTPS, requiring only low privilege network access; the vulnerability can also affect additional products due to scope change. The high severity combined with ease of exploitation makes this a high‑risk threat for any deployment of the affected versions.

Generated by OpenCVE AI on May 28, 2026 at 21:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oracle REST Data Services to the latest available version that includes the vendor patch for this vulnerability.
  • Restrict network access to the REST service by configuring firewall rules to allow HTTPS traffic only from trusted networks or hosts.
  • Enforce strict authentication and authorization controls on the REST endpoints to limit access to authorized users and prevent scope expansion to other products.

Generated by OpenCVE AI on May 28, 2026 at 21:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via HTTPS in Oracle REST Data Services (Core)
Weaknesses CWE-284
CWE-94

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle rest Data Services
CPEs cpe:2.3:a:oracle:rest_data_services:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle rest Data Services
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Oracle Rest Data Services
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-05-29T16:47:07.185Z

Reserved: 2026-05-18T15:55:10.297Z

Link: CVE-2026-46775

cve-icon Vulnrichment

Updated: 2026-05-29T16:44:35.502Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T21:16:31.383

Modified: 2026-05-29T18:17:12.200

Link: CVE-2026-46775

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T21:45:27Z

Weaknesses