A maximum-severity (CVSS 10.0) vulnerability in Oracle REST Data Services lets an unauthenticated remote attacker fully compromise the service over HTTPS, with scope-changing impact on adjacent products.
What Is It
CVE-2026-46840 is a critical flaw in Oracle REST Data Services (ORDS), specifically in the Backend-as-a-Service component. Per Oracle's advisory, it is "easily exploitable" by an unauthenticated attacker with network access via HTTPS, no user interaction, no privileges, low attack complexity. Successful exploitation results in complete takeover of the ORDS instance.
The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, yielding the maximum base score of 10.0 with high impact across confidentiality, integrity, and availability. The "scope changed" designation means a compromise of ORDS can significantly impact additional products beyond the vulnerable component itself.
Why It Matters
ORDS is the HTTPS front door to Oracle databases; it exposes RESTful endpoints, SQL Developer Web, and database management interfaces directly to network clients. A pre-auth takeover at this layer effectively hands an attacker a foothold next to the database tier, and the scope-change indicator suggests blast radius extends to whatever Oracle products sit behind or alongside ORDS.
At CVSS 10.0 with zero authentication required and network reachability over HTTPS, this is the profile of a bug that attracts mass-scanning and rapid weaponization once technical details surface. Internet-exposed ORDS deployments should be treated as priority remediation targets.
What's Vulnerable
- Product: Oracle REST Data Services
- Component: Backend-as-a-Service
- Affected versions: 24.2.0 through 26.1.0 (per Oracle)
- Attack vector: Network / HTTPS, unauthenticated
KEV status: Not currently listed in the CISA Known Exploited Vulnerabilities catalog at time of writing. No public confirmation of active exploitation in the supplied source material.
Patch Status
Oracle published the fix as part of its Critical Patch Update advisory CPU May 2026 (cspumay2026). Administrators should consult that advisory for the patched version mapping and apply the update immediately on any ORDS deployment in the 24.2.0–26.1.0 range, prioritizing internet-facing instances. Until patched, restrict network exposure of ORDS endpoints to trusted networks only.