CVE-2026-46829 - Vulnerability Details

Description

Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Published: 2026-05-28

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Oracle REST Data Services (Mongoapi component) has an easily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTPS to cause the application to hang or repeatedly crash, leading to a complete denial of service.

Affected Systems

Oracle REST Data Services versions 24.2.0 through 26.1.0 are affected. Any deployment of the Mongoapi component within this version range is vulnerable, regardless of the underlying operating system or hosting environment.

Risk and Exploitability

The CVSS base score of 7.5 highlights a significant availability impact. The vulnerability requires no authentication and can be triggered from the network over HTTPS, so any actor with connectivity to the REST Data Services endpoint can exploit it. The EPSS score is 0.0004, indicating a very low likelihood of exploitation, and the vulnerability is not listed in CISA KEV. Given the ease of exploitation and the high availability impact, the risk to live services is considerable.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle REST Data Services

affected

Version	Status	Constraints
`24.2.0`	affected	≤ 26.1.0

No data.

Vendor Product Confidence Versions

Oracle

Rest Data Services

95%

Version	Status	Scheme	Platform
`[24.2.0,26.1.0]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Oracle REST Data Services to a version newer than 26.1.0 that incorporates vendor’s fix for the Mongoapi vulnerability.
Restrict inbound HTTPS traffic to the REST Data Services endpoint, allowing only trusted networks or VPN connections to limit exposure to unauthenticated attackers.
Implement monitoring for application crash events to detect and respond to denial‑of‑service attempts early.

Generated by OpenCVE AI on May 29, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0004.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.oracle.com/security-alerts/cspumay2026.html

History

Fri, 29 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Title	Unauthenticated Remote DoS via Mongoapi in Oracle REST Data Services
Weaknesses	CWE-770

Fri, 29 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 28 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
Title		Unauthenticated Remote DoS via Mongoapi in Oracle REST Data Services
Weaknesses		CWE-770

Thu, 28 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
First Time appeared		Oracle Oracle rest Data Services
CPEs		cpe:2.3:a:oracle:rest_data_services::::::::
Vendors & Products		Oracle Oracle rest Data Services
References		https://www.oracle.com/security-alerts/cspumay2026.html
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Oracle Rest Data Services

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-05-28T20:17:14.504Z

Updated: 2026-05-29T15:29:20.305Z

Reserved: 2026-05-18T15:55:10.304Z

Link: CVE-2026-46829

Vulnrichment

Updated: 2026-05-29T15:29:13.449Z

NVD

Status : Undergoing Analysis

Published: 2026-05-28T21:16:32.950

Modified: 2026-05-29T16:16:30.160

Link: CVE-2026-46829

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T19:30:05Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object