CVE-2026-46833 - Vulnerability Details

- Unauthenticated Network Service Takeover via TLS in Oracle Database Server

Description

Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. While the vulnerability is in Net Service, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Net Service. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

Published: 2026-05-28

Score: 9 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw resides in the Net Service component of Oracle Database Server, allowing an unauthenticated attacker with TLS-layer network access to compromise the service. Successful exploitation would result in full takeover of Net Service, giving the attacker unauthorized control over database operations. The vulnerability is rated CVSS 3.1 base score 9.0, indicating severe impact on confidentiality, integrity, and availability.

Affected Systems

All supported Oracle Database Server releases from version 23.4.0 through 23.26.2 are impacted. The vulnerability specifically targets the Net Service component, which is used for client connections.

Risk and Exploitability

The CVSS score of 9.0 reflects critical risk. The attack vector requires network-based access over TLS, which is commonly available in customer environments. Because the incident is unauthenticated and only requires connectivity to the Net Service port, an attacker can launch the exploit from any external network without needing credentials. There is no publicly documented exploit at this time, and the vulnerability is not listed in CISA KEV, but the high severity and the potential for scope change demand immediate attention from database administrators.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Database Server

affected

Version	Status	Constraints
`23.4.0`	affected	≤ 23.26.2

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Oracle patch for the affected Oracle Database Server releases once available.
Enforce strict firewall rules to allow inbound traffic to the Net Service port only from trusted hosts.
Enable database auditing and monitor logs for unusual access attempts to the Net Service.

Generated by OpenCVE AI on May 28, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00043.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://www.oracle.com/security-alerts/cspumay2026.html

History

Thu, 28 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
Title		Unauthenticated Network Service Takeover via TLS in Oracle Database Server
Weaknesses		CWE-287

Thu, 28 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 28 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. While the vulnerability is in Net Service, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Net Service. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).
First Time appeared		Oracle Oracle database - Net Service
CPEs		cpe:2.3:a:oracle:database_-_net_service::::::::
Vendors & Products		Oracle Oracle database - Net Service
References		https://www.oracle.com/security-alerts/cspumay2026.html
Metrics		cvssV3_1 `{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Oracle Database - Net Service

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-05-28T20:17:15.226Z

Updated: 2026-05-29T03:56:03.971Z

Reserved: 2026-05-18T15:55:10.305Z

Link: CVE-2026-46833

Vulnrichment

Updated: 2026-05-28T20:47:26.327Z

NVD

Status : Awaiting Analysis

Published: 2026-05-28T21:16:33.200

Modified: 2026-05-29T02:47:03.023

Link: CVE-2026-46833

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T21:30:26Z

Weaknesses

CWE-287

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object