PatchSiren cyber security CVE debrief
CVE-2026-46839 Oracle Corporation CVE debrief
A critical vulnerability in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows low-privileged attackers with network access to achieve complete system takeover. The vulnerability, published May 28, 2026, carries a CVSS 3.1 score of 9.9 due to its network attack vector, low complexity, and scope change to additional products. Successful exploitation enables full confidentiality, integrity, and availability compromise. Oracle has released security updates as part of their May 2026 Critical Patch Update. Organizations should prioritize patching given the easily exploitable nature and severe impact of this vulnerability.
- Vendor
- Oracle Corporation
- Product
- Oracle REST Data Services
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations running Oracle REST Data Services versions 24.2.0-26.1.0, particularly those with internet-facing ORDS deployments or multi-tenant database environments where scope change could amplify impact.
Technical summary
Oracle REST Data Services (component: Core) contains an easily exploitable vulnerability in versions 24.2.0-26.1.0. A low-privileged attacker with HTTPS network access can compromise ORDS, with attacks potentially impacting additional products through scope change. Successful exploitation results in complete takeover with high impacts to confidentiality, integrity, and availability.
Defensive priority
critical
Recommended defensive actions
- Apply Oracle Critical Patch Update for May 2026 immediately to affected ORDS installations
- Restrict network access to Oracle REST Data Services to authorized administrative hosts where possible
- Review ORDS deployment architecture for scope change impact to dependent Oracle database environments
- Monitor Oracle security alerts for additional guidance on this vulnerability
- Validate ORDS version and confirm upgrade to patched release outside the 24.2.0-26.1.0 range
Evidence notes
Oracle REST Data Services versions 24.2.0-26.1.0 are confirmed affected. The vulnerability requires HTTPS network access and low privileges to exploit. CVSS vector confirms scope change (S:C) indicating impact beyond the vulnerable component.
Official resources
-
CVE-2026-46839 CVE record
CVE.org
-
CVE-2026-46839 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Oracle disclosed this vulnerability on May 28, 2026, as part of their Critical Patch Update security advisory. The NVD record was published the same day with a 'Received' status. No CISA KEV listing exists at this time.