CVE-2026-46829 Oracle Corporation CVE debrief

Who should care

Organizations running Oracle REST Data Services versions 24.2.0 through 26.1.0 with the Mongoapi component enabled; database administrators managing ORDS deployments; security teams responsible for Oracle infrastructure patching; compliance officers tracking Critical Patch Update adherence.

Technical summary

The vulnerability exists in the Mongoapi component of Oracle REST Data Services. An unauthenticated attacker can send crafted HTTPS requests that trigger resource exhaustion or fault conditions, resulting in service hangs or crashes. The attack requires no authentication, no user interaction, and is exploitable over the network with low complexity. The complete loss of availability earns a CVSS 3.1 score of 7.5 (HIGH severity).

Defensive priority

HIGH

Recommended defensive actions

• Apply Oracle Critical Patch Update for May 2026 to affected ORDS deployments immediately.
• Restrict network access to Oracle REST Data Services Mongoapi endpoints to authorized sources where possible.
• Monitor ORDS service availability and logs for anomalous HTTPS requests that may indicate exploitation attempts.
• Validate patch deployment across all instances running versions 24.2.0 through 26.1.0.
• Review Oracle's security advisory for additional mitigation guidance specific to your deployment configuration.

Evidence notes

Oracle's official security advisory confirms affected versions (24.2.0-26.1.0), attack vector (HTTPS), and impact (complete DoS). NVD entry corroborates CVSS 3.1 scoring and vector. No KEV listing or known ransomware campaign use is documented.

Official resources