Oracle disclosed a critical (CVSS 9.9) vulnerability in the Core component of Oracle REST Data Services (ORDS) that allows a low-privileged attacker with network access to fully compromise the product and impact downstream systems via scope change.
What Is It
CVE-2026-46839 is an easily exploitable vulnerability in the Core component of Oracle REST Data Services. According to Oracle's advisory, a low-privileged attacker with network access over HTTPS can compromise ORDS without user interaction. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) reflects network attack vector, low complexity, and a scope change; meaning successful exploitation can affect resources beyond ORDS itself. Successful attacks can result in full takeover of Oracle REST Data Services, with high impact to confidentiality, integrity, and availability.
Why It Matters
ORDS is the HTTPS front-end used to expose Oracle Database data and PL/SQL logic as REST endpoints. A takeover of ORDS hands an authenticated-but-low-privileged attacker a foothold that can pivot into the data layer it fronts. The scope change in the CVSS vector is the key signal: Oracle explicitly notes that "attacks may significantly impact additional products," which is why the score lands at 9.9 rather than capping at the ORDS boundary. Combined with low attack complexity and no user interaction, this is the kind of flaw that gets weaponized quickly against internet-exposed ORDS instances.
What's Vulnerable
- Product: Oracle REST Data Services
- Component: Core
- Affected versions: 24.2.0 through 26.1.0 (inclusive)
- Attack prerequisites: Network access via HTTPS, low-privileged account, no user interaction
Patch Status
Oracle published the fix as part of the Critical Patch Update for May 2026 (cspumay2026). Administrators running any version in the 24.2.0–26.1.0 range should apply the CPU immediately. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog at the time of publication, but the 9.9 score, scope change, and low exploitation bar make this a priority-patch item regardless of KEV status.