SYS::ONLINE
Wasteland.
Briefs779
Issues14
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-34311 2026-05-28

CVE-2026-34311: Critical Unauthenticated Takeover in Oracle Hospitality OPERA 5

"Oracle has disclosed a critical (CVSS 9.8) unauthenticated remote vulnerability in Oracle Hospitality OPERA 5 Property Services that allows network attackers to fully compromise the platform over HTTP."

Oracle has disclosed a critical (CVSS 9.8) unauthenticated remote vulnerability in Oracle Hospitality OPERA 5 Property Services that allows network attackers to fully compromise the platform over HTTP.

What Is It

CVE-2026-34311 is a vulnerability in the Opera component of Oracle Hospitality OPERA 5 Property Services, part of the Oracle Hospitality Applications suite. Per Oracle's advisory, the flaw is "easily exploitable" and allows an unauthenticated attacker with network access via HTTP to compromise the product. Successful exploitation results in full takeover of OPERA 5 Property Services.

The CVSS 3.1 base score is 9.8 (CRITICAL), with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, meaning remote, low-complexity, no authentication, no user interaction, with high impact to confidentiality, integrity, and availability.

Why It Matters

OPERA 5 is the property management system that runs reservations, guest profiles, folio and billing data, and back-office operations for a large share of hotels worldwide. A pre-authentication HTTP takeover on this platform exposes PII, payment-adjacent data, and operational control of hotel front-desk systems.

The vulnerability is rated by Oracle as easily exploitable and requires no privileges or user interaction, which significantly lowers the bar for opportunistic attacks against internet-reachable or poorly segmented OPERA deployments. CISA KEV does not currently list this CVE as actively exploited, but the profile (unauthenticated, network-reachable, 9.8) is consistent with bugs that attract rapid weaponization.

What's Vulnerable

According to Oracle, the affected supported versions of Oracle Hospitality OPERA 5 Property Services are:

The affected component is identified as "Opera" within Oracle Hospitality Applications. The attack vector is network-based over HTTP.

Patch Status

Fixes are delivered as part of Oracle's May 2026 Critical Security Patch Update (CPU). Operators of OPERA 5 Property Services should apply the May 2026 CPU on all affected versions as the primary remediation. Given the unauthenticated network exposure, administrators should additionally verify that OPERA 5 HTTP interfaces are not reachable from untrusted networks while patching is rolled out.

Sources