HIGH 7.9

CVE-2026-35266: Oracle REST Data Services Authentication & Data Integrity Vulnerability

Oracle REST Data Services contains a vulnerability that allows an attacker with low-level network access and user credentials to manipulate critical data or disrupt service availability. The attack requires tricking another user into taking action, making it moderately difficult to exploit in practice. Versions 24.2.0 through 26.1.0 are affected. Success can lead to unauthorized access, modification, or deletion of sensitive information, as well as partial service outages.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.9 HIGH · CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L
Weaknesses (CWE)
CWE-352, CWE-400
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L).

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-35266 is a cross-site request forgery and resource exhaustion vulnerability (CWE-352, CWE-400) in Oracle REST Data Services affecting versions 24.2.0–26.1.0. The vulnerability requires network access over HTTPS, low privilege authentication, and user interaction (UI:R). The attack vector crosses trust boundaries (S:C), allowing an authenticated attacker to achieve high confidentiality and integrity impact with partial availability impact. The high attack complexity (AC:H) reflects multiple exploitation preconditions, likely around social engineering or timing requirements.

Business impact

A successful exploitation could allow attackers to read, modify, or delete critical data stored within or accessible through Oracle REST Data Services instances. The scope change (S:C) indicates the vulnerability may cascade to compromise dependent applications or data stores. For organizations relying on REST Data Services as a data integration or API layer, this poses risks to data integrity, regulatory compliance (if personal or regulated data is exposed), and operational continuity if partial denial of service occurs. The human interaction requirement (UI:R) somewhat limits the attack surface to social engineering scenarios or insider threats.

Affected systems

Oracle REST Data Services versions 24.2.0 through 26.1.0 are affected. This includes deployments on supported Oracle database versions and standalone REST Data Services installations. Check your environment against the 24.2.0–26.1.0 range; installations on older versions and those already on newer patches are unaffected. The vulnerability is in the core component, so all functional areas of REST Data Services may be exposed.

Exploitability

Although the CVSS score is 7.9 (HIGH), this vulnerability is rated 'difficult to exploit' in the official description. This reflects the attack complexity, which requires low privilege credentials, network access, high attack complexity conditions, and user interaction. It is not listed in the KEV catalog, indicating no evidence of public active exploitation at this time. The social engineering or user-interaction requirement (UI:R) reduces opportunistic attack likelihood, though targeted attacks against known low-privilege accounts remain feasible.

Remediation

Upgrade Oracle REST Data Services to a patched version above 26.1.0. Verify the exact patch version against Oracle's official security advisory, as minor versions may contain additional fixes. Until patching is complete, implement network segmentation to restrict HTTPS access to REST Data Services endpoints to trusted clients only, enforce multi-factor authentication for user accounts, and monitor for suspicious cross-origin requests or unusual data modification patterns.

Patch guidance

Consult Oracle's official security bulletin for CVE-2026-35266 to identify the specific patched version number and release date. Plan upgrades during a maintenance window to avoid disruption. Test patches in a non-production environment first, particularly if REST Data Services integrates with downstream applications. Verify that dependent systems continue to function after upgrade, and update any hardcoded REST endpoints or authentication tokens if required.

Detection guidance

Monitor Oracle REST Data Services access logs for unusual data access patterns, modifications, or deletion operations from low-privilege accounts. Look for HTTP requests with unusual Cross-Origin headers or referrer patterns that may indicate CSRF attempts. Implement alerts on unexpected changes to critical data records and partial service unavailability events. Correlate REST Data Services logs with proxy or firewall logs to identify requests from external or unexpected network segments.

Why prioritize this

Despite a CVSS score of 7.9, prioritize this vulnerability because it affects data integrity and confidentiality on a critical integration component. The scope change (S:C) means compromise may extend beyond REST Data Services itself. Organizations should apply patches as part of regular maintenance cycles. The difficulty of exploitation and lack of KEV status provide a modest grace period, but this should not delay planned remediation, especially if REST Data Services holds or controls sensitive data.

Risk score, explained

The CVSS 3.1 score of 7.9 reflects high confidentiality and integrity impact, partial availability impact, and a large scope (affects the vulnerable component and potentially others). The score is moderated by attack complexity (AC:H), the requirement for low privilege, and user interaction. This balances the severity of potential compromise against realistic exploitation barriers. Organizations with stringent access controls and user awareness training may see lower practical risk, while those with permissive access or weak user security culture face higher residual risk.

Frequently asked questions

Do I need to patch if my REST Data Services version is outside 24.2.0–26.1.0?

No. Versions older than 24.2.0 and versions newer than 26.1.0 (after the patched release) are not affected by this specific vulnerability. Confirm your exact version in the REST Data Services admin console or logs, and cross-reference it against Oracle's advisory to ensure you have a patched build if you are within the affected range.

Is this vulnerability being actively exploited?

No. CVE-2026-35266 is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no evidence of public active exploitation or weaponized proof-of-concept code at the time of publication. However, absence from KEV does not guarantee future non-exploitation; patching should still be prioritized per your change management process.

What is the scope change (S:C) and why does it matter?

Scope change means the vulnerability may affect resources beyond the vulnerable component itself—in this case, data or systems that depend on REST Data Services. If your REST Data Services instance is a critical integration hub or gateway to downstream applications, a compromise could cascade to those systems. This elevates the potential business impact even if REST Data Services itself is partially contained.

Can I mitigate this without patching?

Partial mitigation is possible: restrict network access to REST Data Services via firewall rules, enforce multi-factor authentication on all user accounts, disable cross-origin requests if not essential, and monitor access logs for anomalies. However, these controls do not eliminate the vulnerability. Patching is the only permanent fix; mitigations are temporary measures while you prepare for an upgrade.

This analysis is based on the official CVE record and CVSS 3.1 vector published as of June 2026. Patch version numbers, release dates, and detailed remediation steps must be verified against Oracle's official security advisory. SEC.co makes no guarantee of exploit availability, real-world impact, or suitability of mitigations for any specific environment. Always test patches in non-production first and consult your vendor and internal security teams before deploying fixes to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).