PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46841 Oracle Corporation CVE debrief

A medium-severity information disclosure vulnerability in Oracle REST Data Services (ORDS) allows unauthenticated network attackers to read a subset of accessible data via HTTPS. Affected versions span 24.2.0 through 26.1.0. The vulnerability was disclosed by Oracle in its May 2026 Critical Patch Update. No known exploitation in ransomware campaigns has been reported.

Vendor
Oracle Corporation
Product
Oracle REST Data Services
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations running Oracle REST Data Services 24.2.0-26.1.0, particularly those with internet-facing ORDS deployments or multi-tenant database configurations where data segregation is critical.

Technical summary

Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 contain an easily exploitable vulnerability permitting unauthenticated attackers with HTTPS network access to obtain unauthorized read access to a subset of ORDS-accessible data. The flaw requires no privileges or user interaction. CVSS 3.1 Base Score 5.3 (Medium).

Defensive priority

medium

Recommended defensive actions

  • Apply Oracle Critical Patch Update for May 2026 to affected ORDS installations
  • Restrict network access to ORDS endpoints to authorized sources where patching is delayed
  • Monitor Oracle security alerts for additional guidance on affected configurations
  • Review ORDS deployment architecture to ensure least-privilege access controls
  • Validate patch application through version verification (target: post-26.1.0 or patched 24.2.x/25.x/26.0.x branches)

Evidence notes

Oracle's security alert confirms affected product versions and CVSS 3.1 scoring. NVD entry reflects official vendor disclosure timing. No CISA KEV listing exists.

Official resources

Oracle disclosed this vulnerability in its May 2026 Critical Patch Update bulletin. The CVE was published to NVD on 2026-05-28 with vendor acknowledgment.