Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
An attacker with only basic network privileges can exploit the vulnerability in the Core Oracle REST Data Services component via HTTPS protocol without requiring user interaction. The vulnerability is easy to exploit (low attack complexity). A successful attack may extend beyond the directly targeted product and affect other related systems (scope change).
An attacker can completely take over control of Oracle REST Data Services, gaining full access to data (confidentiality breach), ability to modify it (integrity breach), and capability to cause service unavailability (availability breach). The attack may also negatively affect other products connected to the vulnerable service.
Security patches available from the vendor must be applied according to references — Oracle Critical Patch Update from May 2026 (https://www.oracle.com/security-alerts/cspumay2026.html). Immediate update to a patched version is recommended.
Oracle REST Data Services, Core component, versions 24.2.0 through 26.1.0 inclusive.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HOracle Rest Data Services
APPOracle24.2.0 – 26.1.0
Related vulnerabilities
Krytyczna podatność w Oracle REST Data Services — przejęcie kontroli
Krytyczna podatność w Oracle REST Data Services — przejęcie kontroli bez uwierzytelnienia
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration w...
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTT...
Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0...