CVE-2026-35277 Oracle Corporation CVE debrief

Who should care

Organizations running Oracle REST Data Services 24.2.0-26.1.0, particularly those exposing ORDS to external networks or hosting sensitive data. Database administrators, security teams, and compliance officers responsible for Oracle application security should prioritize patching.

Technical summary

Oracle REST Data Services Core component in versions 24.2.0-26.1.0 fails to properly validate or authorize requests from low-privileged users over HTTPS. The vulnerability enables network-based attackers to escalate privileges indirectly through data manipulation, achieving unauthorized read/write access to all ORDS-managed data. No availability impact is associated with this flaw. The attack requires authenticated but low-privileged access, making insider threats and compromised credential scenarios particularly relevant.

Defensive priority

HIGH

Recommended defensive actions

• Apply Oracle Critical Patch Update for May 2026 immediately to affected ORDS installations
• Upgrade Oracle REST Data Services to a patched version beyond 26.1.0
• Review ORDS deployment access controls and restrict network exposure where possible
• Audit ORDS-accessible data for signs of unauthorized access or modification
• Monitor HTTPS access logs for anomalous activity from low-privileged accounts

Evidence notes

CVE published 2026-05-28T21:16:29.460Z. CVSS 3.1: 8.1 (High). Attack vector: network, low complexity, low privileges required, no user interaction. Confidentiality and Integrity impacts rated HIGH; Availability impact NONE. Oracle security alert reference provided.

Official resources