Description
Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
Published: 2026-05-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, the Core component of Oracle REST Data Services handles HTTPS requests that manipulate database records. This vulnerability is an instance of Improper Authentication (CWE-284), enabling an unauthenticated attacker who can reach the service over HTTPS to update, insert, or delete data. This can result in unauthorized modifications of underlying database entries, compromising data integrity. The CVSS score of 5.3 indicates moderate severity with potential for significant integrity impact.

Affected Systems

Oracle REST Data Services versions 24.2.0 through 26.1.0 are vulnerable. The affected product is Oracle Corporation’s Oracle REST Data Services, a component of Oracle’s application development platform. No specific sub‑versions are listed beyond that range.

Risk and Exploitability

The vulnerability is accessible over the network, exploiting the HTTPS interface with no authentication required. The CVSS score of 5.3 indicates moderate severity and a low exploitation complexity. EPSS score is < 1%, reflecting a low but nonzero exploitation probability. The issue is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. Organizations running the affected releases should consider the risk of an attacker conducting unauthorized data modifications via Improper Authentication (CWE-284).

Generated by OpenCVE AI on May 29, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest available patch or upgrade Oracle REST Data Services to a version that contains the fix.
  • Restrict network access to the REST Data Services endpoints using firewall rules or VPN so that only authorized hosts can communicate with the service.
  • Monitor audit logs for unexpected update, insert, or delete operations originating from unauthorized sources.

Generated by OpenCVE AI on May 29, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTPS Data Modification in Oracle REST Data Services

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Title Oracle REST Data Services Vulnerability Allows Unauthorized Data Modification via HTTPS
Weaknesses CWE-285

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Thu, 28 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title Oracle REST Data Services Vulnerability Allows Unauthorized Data Modification via HTTPS
Weaknesses CWE-285

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
First Time appeared Oracle
Oracle rest Data Services
CPEs cpe:2.3:a:oracle:rest_data_services:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle rest Data Services
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Oracle Rest Data Services
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-05-29T15:16:38.986Z

Reserved: 2026-05-18T15:55:10.305Z

Link: CVE-2026-46842

cve-icon Vulnrichment

Updated: 2026-05-29T15:16:34.453Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T21:16:34.093

Modified: 2026-05-29T16:16:31.130

Link: CVE-2026-46842

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T20:00:05Z

Weaknesses