CRITICAL🇵🇱 Wersja polska

CVE-2026-46840

CVSS 10.0v3.1pub. 2026-05-28upd. 2026-06-04

Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

🤖 AI Analysis
How it works

An attacker with network access can send specially crafted HTTPS requests to Oracle REST Data Services without any credentials and without user interaction. The vulnerability is easy to exploit (low attack complexity level) and can lead to complete takeover of the service. Importantly, due to scope change, a successful attack can negatively impact other products associated with the compromised instance.

Impact

An attacker can gain full control over Oracle REST Data Services, which involves unauthorized access to data, modification of data, and potential disruption of service operation. The consequences may also include other products in the environment.

Mitigation & patch

Patches available from the vendor must be applied immediately in accordance with references published in the Oracle Critical Patch Update from May 2026 (https://www.oracle.com/security-alerts/cspumay2026.html). Until the fix is implemented, it is recommended to restrict network access to Oracle REST Data Services instances at the firewall level.

Who is affected

Oracle REST Data Services in versions 24.2.0 to 26.1.0 (component: Backend-as-a-Service)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Oracle Rest Data Services

    APP
    Oracle
    24.2.0 – 26.1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassDoS
CWE
References

Related vulnerabilities

CVE-2026-46775CRITICAL9.9PL ✓ten sam produkt

Krytyczna podatność w Oracle REST Data Services umożliwiająca przejęcie kontroli

CVE-2026-46839CRITICAL9.9PL ✓ten sam produkt

Krytyczna podatność w Oracle REST Data Services — przejęcie kontroli

CVE-2017-7657CRITICAL9.8ten sam produkt

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration w...

CVE-2017-7658CRITICAL9.8ten sam produkt

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTT...

CVE-2026-35266HIGH7.9ten sam produkt

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0...