CVE-2026-46775 Oracle Corporation CVE debrief

Who should care

Organizations running Oracle REST Data Services 24.2.0-26.1.0; database administrators managing Oracle Database deployments with REST API exposure; security teams responsible for Oracle Critical Patch Update cycles; cloud architects using ORDS in multi-tenant or shared database environments where scope change impacts could cascade to other services

Technical summary

The vulnerability resides in the Core component of Oracle REST Data Services versions 24.2.0-26.1.0. Attackers with low privileges and HTTPS network access can exploit this flaw to compromise ORDS completely. The CVSS scope change metric (S:C) indicates that successful attacks may significantly impact additional products beyond ORDS itself, suggesting potential for lateral movement or trust boundary violations in connected Oracle database environments.

Defensive priority

critical

Recommended defensive actions

• Apply Oracle Critical Patch Update for May 2026 immediately to affected ORDS installations
• Upgrade Oracle REST Data Services to a patched version beyond 26.1.0
• Review and restrict network access to ORDS endpoints to authorized sources only
• Audit ORDS deployments for unauthorized configuration changes or unexpected administrative accounts
• Monitor Oracle security alerts for additional guidance on this vulnerability
• Conduct impact assessment given the scope change indicator—evaluate connected systems that may be affected through compromised ORDS instances

Evidence notes

Vendor identification relies on reference domain analysis (oracle.com) with low confidence flag for review. The vulnerability description is sourced directly from NVD/CVE.org records. CVSS vector confirms scope change (S:C) indicating impact beyond the vulnerable component.

Official resources