PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-35266 Oracle Corporation CVE debrief

Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 contain a difficult-to-exploit vulnerability in the Core component. A low-privileged attacker with network access via HTTPS can compromise ORDS, with successful attacks requiring human interaction from a victim. The vulnerability has scope change characteristics, meaning attacks may significantly impact additional products beyond ORDS itself. Successful exploitation can result in unauthorized creation, deletion, or modification of critical data; unauthorized access to critical data; and partial denial of service. The CVSS 3.1 base score is 7.9 (HIGH severity).

Vendor
Oracle Corporation
Product
Oracle REST Data Services
CVSS
HIGH 7.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations running Oracle REST Data Services versions 24.2.0-26.1.0, particularly those with externally exposed HTTPS endpoints or multi-tier architectures where ORDS scope change could cascade to dependent systems

Technical summary

The vulnerability exists in Oracle REST Data Services Core component across versions 24.2.0 to 26.1.0. Attack vector is network-based via HTTPS with high attack complexity. Requires low privileges and user interaction. Scope changes from vulnerable component to other impacted products. Confidentiality and integrity impacts are high; availability impact is low. CVSS 3.1 vector: AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L.

Defensive priority

HIGH

Recommended defensive actions

  • Apply Oracle Critical Patch Update (CPU) for May 2026 when available, prioritizing ORDS instances exposed to untrusted networks
  • Restrict network access to ORDS administrative interfaces and enforce principle of least privilege for authenticated users
  • Monitor for anomalous HTTPS requests to ORDS endpoints that may indicate exploitation attempts
  • Review ORDS deployment architecture to isolate potential scope change impacts on dependent systems
  • Validate input sanitization and session management configurations in ORDS Core component

Evidence notes

CVE published 2026-05-28. Affected versions explicitly listed as 24.2.0-26.1.0. Oracle security alert reference confirms vendor origin. No KEV listing or known ransomware campaign use at time of disclosure.

Official resources

2026-05-28