PatchSiren cyber security CVE debrief

CVE-2026-46830 Oracle Corporation CVE debrief

Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 contain an unauthenticated information disclosure vulnerability in the MongoAPI component. The flaw allows remote attackers with network access via HTTPS to obtain unauthorized read access to a subset of ORDS-accessible data without authentication. The vulnerability is rated CVSS 3.1 Base Score 5.3 (Medium severity) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network attack vector, low attack complexity, no privileges required, no user interaction, and low confidentiality impact with no integrity or availability effects. The vulnerability was disclosed by Oracle in their May 2026 Critical Patch Update security advisory. No known exploitation in the wild or ransomware campaign use has been reported. Organizations should apply Oracle's May 2026 CPU patches and restrict network access to ORDS MongoAPI endpoints where patching is not immediately feasible.