Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
An attacker with network access can send specially crafted HTTPS requests to Oracle REST Data Services without any credentials and without user interaction. The vulnerability is easy to exploit (low attack complexity level) and can lead to complete takeover of the service. Importantly, due to scope change, a successful attack can negatively impact other products associated with the compromised instance.
An attacker can gain full control over Oracle REST Data Services, which involves unauthorized access to data, modification of data, and potential disruption of service operation. The consequences may also include other products in the environment.
Patches available from the vendor must be applied immediately in accordance with references published in the Oracle Critical Patch Update from May 2026 (https://www.oracle.com/security-alerts/cspumay2026.html). Until the fix is implemented, it is recommended to restrict network access to Oracle REST Data Services instances at the firewall level.
Oracle REST Data Services in versions 24.2.0 to 26.1.0 (component: Backend-as-a-Service)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HOracle Rest Data Services
APPOracle24.2.0 – 26.1.0
Related vulnerabilities
Krytyczna podatność w Oracle REST Data Services umożliwiająca przejęcie kontroli
Krytyczna podatność w Oracle REST Data Services — przejęcie kontroli
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration w...
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTT...
Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0...