Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
An attacker with minimal network privileges (low privileged) can exploit the vulnerability through the HTTPS protocol without requiring any user interaction. The vulnerability is easy to exploit (Attack Complexity: Low), and its scope extends beyond the product itself (scope change), which means that a successful attack can also compromise other systems or Oracle services cooperating with ORDS. The detailed technical mechanism was not disclosed in the vendor's description.
Successful exploitation of the vulnerability leads to complete takeover of the Oracle REST Data Services instance, including breach of confidentiality, integrity, and availability of data and services. The attack may additionally significantly affect additional products integrated with ORDS.
Patches available from the vendor described in the Oracle Critical Patch Update bulletin from May 2026 should be applied as soon as possible (https://www.oracle.com/security-alerts/cspumay2026.html). Until the update is applied, it is recommended to limit access to the ORDS service only to trusted networks and to verify the permissions of accounts that can connect to the service via HTTPS.
Oracle REST Data Services (ORDS) in versions 24.2.0 through 26.1.0 (inclusive)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HOracle Rest Data Services
APPOracle24.2.0 – 26.1.0
Related vulnerabilities
Krytyczna podatność w Oracle REST Data Services umożliwiająca przejęcie kontroli
Krytyczna podatność w Oracle REST Data Services — przejęcie kontroli bez uwierzytelnienia
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration w...
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTT...
Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0...