Description
Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
Published: 2026-05-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Mongoapi component of Oracle REST Data Services and allows an attacker with network connectivity over HTTPS to read a subset of data without authentication. The unauthorized read results in a confidentiality impact only, as indicated by the CVSS analysis.

Affected Systems

Oracle REST Data Services versions 24.2.0 through 26.1.0 are affected. Users should verify the exact build of the product and consider upgrading beyond 26.1.0 when available.

Risk and Exploitability

The CVSS 3.1 Base Score is 5.3, reflecting a moderate severity. The EPSS score indicates a very low exploitation probability (< 1%), and the vulnerability is not listed in the CISA KEV catalog. The attack can be performed by any network user who can reach the service’s HTTPS endpoint, underscoring the need for network isolation or proper authentication.

Generated by OpenCVE AI on May 29, 2026 at 18:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oracle REST Data Services to a release beyond 26.1.0 that resolves the Mongoapi access control flaw.
  • Restrict inbound traffic to the REST Data Services instance by firewall rules or virtual network segmentation, limiting exposure to trusted hosts.
  • Enforce strict access controls and review the data exposed by the service to ensure only necessary information is available.

Generated by OpenCVE AI on May 29, 2026 at 18:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Disclosure via Mongoapi in Oracle REST Data Services

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
First Time appeared Oracle
Oracle rest Data Services
CPEs cpe:2.3:a:oracle:rest_data_services:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle rest Data Services
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Oracle Rest Data Services
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-05-29T15:30:21.332Z

Reserved: 2026-05-18T15:55:10.304Z

Link: CVE-2026-46830

cve-icon Vulnrichment

Updated: 2026-05-29T15:30:16.288Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T21:16:33.070

Modified: 2026-05-29T16:16:30.277

Link: CVE-2026-46830

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:15:04Z

Weaknesses