Description
Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Published: 2026-05-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Oracle REST Data Services permits an unauthenticated attacker to send HTTPS requests that lead to a partial denial of service. The issue resides in the Core component and can be triggered solely by network traffic with no credentials. An attacker who can reach the ORDS endpoint can invoke the vulnerable process, exhausting resources or disrupting normal operation, resulting in reduced availability for legitimate users.

Affected Systems

Oracle REST Data Services versions 24.2.0 through 26.1.0, provided by Oracle Corporation.

Risk and Exploitability

The CVSS 3.1 base score of 5.3 indicates a moderate risk. EPSS data is not available and the vulnerability is not listed in CISA KEV. Attackers can exploit the flaw remotely over HTTPS without authentication, making the risk accessible to any actor with network reach to the ORDS instance.

Generated by OpenCVE AI on May 28, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle REST Data Services patch or upgrade to a version beyond 26.1.0.
  • Restrict network access to the ORDS HTTPS endpoint with firewall rules or VPN to limit exposure to trusted networks.
  • Verify ORDS configuration to ensure anonymous access is disabled and authentication is enforced for all endpoints.

Generated by OpenCVE AI on May 28, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 22:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTPS Requests Causing Partial Denial of Service in Oracle REST Data Services
Weaknesses CWE-400

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
First Time appeared Oracle
Oracle rest Data Services
CPEs cpe:2.3:a:oracle:rest_data_services:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle rest Data Services
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Oracle Rest Data Services
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-05-29T15:15:45.892Z

Reserved: 2026-05-18T15:55:10.305Z

Link: CVE-2026-46843

cve-icon Vulnrichment

Updated: 2026-05-29T15:15:39.908Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T21:16:34.223

Modified: 2026-05-29T16:16:31.243

Link: CVE-2026-46843

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T22:15:06Z

Weaknesses