CRITICAL🇵🇱 Wersja polska

CVE-2026-46839

CVSS 9.9v3.1pub. 2026-05-28upd. 2026-06-04

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

🤖 AI Analysis
How it works

An attacker with minimal network privileges (low privileged) can exploit the vulnerability through the HTTPS protocol without requiring any user interaction. The vulnerability is easy to exploit (Attack Complexity: Low), and its scope extends beyond the product itself (scope change), which means that a successful attack can also compromise other systems or Oracle services cooperating with ORDS. The detailed technical mechanism was not disclosed in the vendor's description.

Impact

Successful exploitation of the vulnerability leads to complete takeover of the Oracle REST Data Services instance, including breach of confidentiality, integrity, and availability of data and services. The attack may additionally significantly affect additional products integrated with ORDS.

Mitigation & patch

Patches available from the vendor described in the Oracle Critical Patch Update bulletin from May 2026 should be applied as soon as possible (https://www.oracle.com/security-alerts/cspumay2026.html). Until the update is applied, it is recommended to limit access to the ORDS service only to trusted networks and to verify the permissions of accounts that can connect to the service via HTTPS.

Who is affected

Oracle REST Data Services (ORDS) in versions 24.2.0 through 26.1.0 (inclusive)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Oracle Rest Data Services

    APP
    Oracle
    24.2.0 – 26.1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
DoS
CWE
References

Related vulnerabilities

CVE-2026-46775CRITICAL9.9PL ✓ten sam produkt

Krytyczna podatność w Oracle REST Data Services umożliwiająca przejęcie kontroli

CVE-2026-46840CRITICAL10.0PL ✓ten sam produkt

Krytyczna podatność w Oracle REST Data Services — przejęcie kontroli bez uwierzytelnienia

CVE-2017-7657CRITICAL9.8ten sam produkt

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration w...

CVE-2017-7658CRITICAL9.8ten sam produkt

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTT...

CVE-2026-35266HIGH7.9ten sam produkt

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0...