Oracle has disclosed a critical (CVSS 9.9) vulnerability in Oracle REST Data Services (ORDS) that allows a low-privileged network attacker to fully take over the service and pivot into adjacent products via a scope change.
What Is It
CVE-2026-46775 is a critical vulnerability in the Core component of Oracle REST Data Services. According to Oracle's advisory, the flaw is "easily exploitable" by a low-privileged attacker with network access over HTTPS, requires no user interaction, and yields complete takeover of ORDS. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) reflects a scope-changed compromise impacting confidentiality, integrity, and availability at the highest level.
Why It Matters
The base score of 9.9 is driven largely by the scope change: although the bug lives in ORDS, Oracle explicitly warns that "attacks may significantly impact additional products." ORDS sits in front of Oracle Database deployments as the HTTPS/REST gateway, so a full takeover of the service is a credible foothold into backend database environments. Combined with low attack complexity, no user interaction, and only low privileges required, this is a high-priority patching target for any organization exposing ORDS to the network.
This CVE does not currently appear in the CISA KEV catalog, so there is no confirmed in-the-wild exploitation at time of writing, but the exploitability profile is well within the range that operators typically weaponize quickly after a Critical Patch Update.
What's Vulnerable
- Product: Oracle REST Data Services
- Component: Core
- Affected versions: 24.2.0 through 26.1.0 (per Oracle's advisory)
- Attack vector: Network (HTTPS), low privileges required, no user interaction
Internet-exposed ORDS instances and any ORDS deployment reachable from less-trusted network segments should be considered in scope.
Patch Status
The vulnerability was disclosed as part of Oracle's May 2026 Critical Patch Update. Administrators should apply the fixes referenced in Oracle's Critical Patch Update advisory to all affected ORDS instances in the 24.2.0–26.1.0 range. Until patched, restrict network reachability of ORDS endpoints and monitor for anomalous authenticated HTTPS activity against the service.