Description
Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-05-28
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Oracle REST Data Services is affected by an easily exploitable flaw that allows an unauthenticated attacker with network reachability over HTTPS to gain full control over the service. The vulnerability permits bypassing authentication checks, enabling an attacker to manipulate or commandeer the REST endpoints, resulting in complete confidentiality, integrity, and availability loss for the affected deployment.

Affected Systems

The affected product is Oracle REST Data Services, with vulnerable versions ranging from 24.2.0 to 26.1.0. Any installation that exposes the Backend‑as‑a‑Service component to external networks is at risk, and because the impact has been flagged as a scope change, other Oracle products that interact with ORDS may also be indirectly affected.

Risk and Exploitability

With a CVSS v3.1 base score of 10.0, this issue is classified as critical severity. The EPSS score is < 1%, indicating a very low but nonzero exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no publicly documented exploits. However, the description indicates that the attacker only needs unauthenticated HTTPS connectivity; this suggests the exploit could succeed trivially once network access is available, but no public exploit metadata is present.

Generated by OpenCVE AI on May 29, 2026 at 18:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch for Oracle REST Data Services releases 24.2.0 through 26.1.0 as soon as it is released.
  • Restrict external access to the REST endpoints by configuring firewall or network segmentation to allow HTTPS traffic only from trusted hosts or VPN connections.
  • Disable unused Backend‑as‑a‑Service interfaces and enable strong authentication to reduce the attack surface.

Generated by OpenCVE AI on May 29, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTPS Exploit Enabling Full Compromise of Oracle REST Data Services

Fri, 29 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTPS Exploit Enabling Full Compromise of Oracle REST Data Services
Weaknesses CWE-284
CWE-287

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle rest Data Services
CPEs cpe:2.3:a:oracle:rest_data_services:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle rest Data Services
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Oracle Rest Data Services
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-05-29T15:18:26.672Z

Reserved: 2026-05-18T15:55:10.305Z

Link: CVE-2026-46840

cve-icon Vulnrichment

Updated: 2026-05-29T15:18:22.369Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T21:16:33.837

Modified: 2026-05-29T16:16:30.893

Link: CVE-2026-46840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:15:04Z

Weaknesses