CVE-2026-46833: Critical Oracle Database Net Service Takeover Flaw

"A critical vulnerability in Oracle Database Server's Net Service component allows an unauthenticated remote attacker with TLS network access to fully compromise the service, with cascading impact on adjacent products."

A critical vulnerability in Oracle Database Server's Net Service component allows an unauthenticated remote attacker with TLS network access to fully compromise the service, with cascading impact on adjacent products.

What Is It

CVE-2026-46833 is a vulnerability in the Net Service component of Oracle Database Server, disclosed in Oracle's May 2026 Critical Patch Update. It carries a CVSS 3.1 base score of 8.3 (High) with the vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. The flaw is reachable over the network via TLS by an unauthenticated attacker, requires no user interaction, and, although attack complexity is rated High, successful exploitation yields full takeover of Net Service with high impact to confidentiality, integrity, and availability.

Why It Matters

The vulnerability carries a scope change (S:C), meaning a successful attack against Net Service may significantly impact additional products beyond the immediately vulnerable component. Combined with network reach over TLS and no authentication requirement, this gives an attacker a path to compromise core database infrastructure from outside the trust boundary of the Net Service itself. Oracle Database typically sits at the heart of enterprise data flows, so a takeover here can pivot into broader environment compromise.

There is no CISA KEV entry for this CVE at the time of writing, so active in-the-wild exploitation has not been confirmed by CISA. The High attack complexity may slow opportunistic mass exploitation, but the High severity rating and unauthenticated network vector with scope change make this a priority patch for any exposed Oracle Database 23ai deployment.

What's Vulnerable

Product: Oracle Database Server; Net Service component
Affected versions: 23.4.0 through 23.26.2 (supported releases)
Attack vector: Network, via TLS
Privileges required: None
User interaction: None

Patch Status

Oracle addressed this issue in the May 2026 Critical Patch Update (cpumay2026). Administrators running Oracle Database Server 23.4.0–23.26.2 should apply the relevant CPU patches without delay and prioritize systems whose Net Service listener is reachable from untrusted networks. Until patches are applied, restrict network access to the Net Service listener to known, trusted hosts.

Sources

Oracle Critical Patch Update Advisory; May 2026: https://www.oracle.com/security-alerts/cpumay2026.html
NVD entry for CVE-2026-46833: https://nvd.nist.gov/vuln/detail/CVE-2026-46833