CVE-2026-46843 Oracle Corporation CVE debrief

Who should care

Organizations running Oracle REST Data Services versions 24.2.0-26.1.0, particularly those with internet-facing ORDS deployments or multi-tenant database environments where service availability is critical.

Technical summary

Oracle REST Data Services (component: Core) contains an easily exploitable vulnerability allowing unauthenticated attackers with network access via HTTPS to cause partial denial of service. The vulnerability affects versions 24.2.0 through 26.1.0. CVSS 3.1 Base Score 5.3 indicates medium severity with availability impact only—no confidentiality or integrity compromise possible. Attack vector is network-based with low complexity, requiring no privileges or user interaction.

Defensive priority

medium

Recommended defensive actions

• Review Oracle Critical Patch Update May 2026 security alert for available patches
• Identify ORDS deployments running versions 24.2.0 through 26.1.0
• Apply Oracle-provided patches or updates to affected ORDS instances
• Monitor ORDS service availability for anomalous degradation patterns
• Restrict network access to ORDS management interfaces where feasible per organizational policy

Evidence notes

CVSS vector confirms network-attack surface with low attack complexity, no privileges required, and no user interaction needed. Impact limited to availability (partial DoS) with no confidentiality or integrity effects. Affected version range 24.2.0-26.1.0 explicitly stated.

Official resources