Description
Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. While the vulnerability is in Net Service, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Net Service. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-05-28
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the Net Service component of Oracle Database Server, allowing an unauthenticated attacker with TLS‑layer network access to compromise the service. This is an authentication and access control weakness (CWE‑285, CWE‑284). Successful exploitation would result in full takeover of Net Service, giving the attacker unauthorized control over database operations. The vulnerability changes scope, potentially impacting additional products, and is rated CVSS 3.1 base score 9.0, indicating severe impact on confidentiality, integrity, and availability.

Affected Systems

All supported Oracle Database Server releases from version 23.4.0 through 23.26.2 are impacted. The vulnerability specifically targets the Net Service component, which is used for client connections.

Risk and Exploitability

The CVSS score of 9.0 reflects critical risk. The attack vector requires network‑based access over TLS, which is commonly available in customer environments. Because the incident is unauthenticated and only requires connectivity to the Net Service port, an attacker can launch the exploit from any external network without needing credentials. The EPSS score of < 1% indicates that the likelihood of active exploitation is very low. There is no publicly documented exploit at this time, and the vulnerability is not listed in CISA KEV, but the high severity and the potential for scope change demand immediate attention from database administrators.

Generated by OpenCVE AI on June 3, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle patch for the affected Oracle Database Server releases.
  • Enforce strict firewall rules to allow inbound traffic to the Net Service port only from trusted hosts.
  • Enable database auditing and monitor logs for unusual access attempts to the Net Service.

Generated by OpenCVE AI on June 3, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title Oracle Net Service TLS Exploit Enables Unauthenticated Takeover
Weaknesses CWE-284
CWE-285

Wed, 03 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Network Service Takeover via TLS in Oracle Database Server
Weaknesses CWE-287

Wed, 03 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:oracle:database_server:*:*:*:*:*:*:*:*

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Oracle database Server
Vendors & Products Oracle database Server

Thu, 28 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Network Service Takeover via TLS in Oracle Database Server
Weaknesses CWE-287

Thu, 28 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. While the vulnerability is in Net Service, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Net Service. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle database - Net Service
CPEs cpe:2.3:a:oracle:database_-_net_service:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle database - Net Service
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Oracle Database - Net Service Database Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-05-29T03:56:03.971Z

Reserved: 2026-05-18T15:55:10.305Z

Link: CVE-2026-46833

cve-icon Vulnrichment

Updated: 2026-05-28T20:47:26.327Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T21:16:33.200

Modified: 2026-06-03T18:12:21.470

Link: CVE-2026-46833

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T23:30:35Z

Weaknesses