CVE-2026-35277: Oracle REST Data Services Authorization Bypass
Oracle REST Data Services contains a flaw that allows authenticated users with basic network access to read and modify sensitive data they shouldn't be able to access. An attacker with a low-privilege account can exploit this remotely without user interaction, potentially accessing, changing, or deleting critical information across the service. This is a significant risk because it bypasses normal data access controls.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-284, CWE-400
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-35277 is an authorization bypass vulnerability in Oracle REST Data Services (versions 24.2.0 through 26.1.0) rooted in improper access control (CWE-284) and potentially resource exhaustion concerns (CWE-400). The vulnerability is triggered via HTTPS when a low-privileged, authenticated attacker makes targeted requests. The flaw permits unauthorized read and write operations on critical data repositories within the REST Data Services infrastructure, compromising both confidentiality and integrity. The attack requires only network-level access and valid credentials—no complex exploitation chain or user interaction is needed, making it straightforward to execute.
Business impact
Data breach risk is the primary concern. Attackers exploiting this vulnerability could exfiltrate sensitive business data, modify or delete records, or corrupt databases accessed through REST Data Services. In regulated environments (finance, healthcare, government), unauthorized data access or modification can trigger compliance violations, incident response costs, and reputational damage. The ease of exploitation means the window between discovery and abuse is likely short, especially if the vulnerability becomes public or tool-ified.
Affected systems
Oracle REST Data Services versions 24.2.0, 24.3.0, 25.x.x, and 26.0.0–26.1.0 are in scope. Any deployment hosting REST Data Services in these versions and exposed to network traffic is at risk, particularly those serving as middleware or API gateways for database access. Organizations should audit their inventory to identify all instances, including development, test, and production environments.
Exploitability
This vulnerability is easily exploitable. An attacker needs only valid credentials at any privilege level and network access via HTTPS—no special tools, no zero-click triggers, no race conditions. The CVSS vector (AC:L, PR:L, UI:N) confirms low attack complexity and low privilege requirements. While not yet observed in the wild (KEV status: not listed), the straightforward attack surface means exploitation is highly likely once details circulate. Internal threats (disgruntled employees, compromised service accounts) pose immediate risk.
Remediation
Apply security patches released by Oracle for affected versions. Oracle has published fixes that close the authorization bypass; patch guidance and version numbers are available in the official Oracle Security Alert. For environments where immediate patching is infeasible, consider restricting network access to REST Data Services endpoints using firewall rules or API gateway policies, limiting exposure to trusted internal networks only. Review and rotate low-privilege service account credentials that could be used to trigger the vulnerability.
Patch guidance
Consult the official Oracle Critical Patch Update (CPU) or security advisory corresponding to the publication date (May 28, 2026) for specific patch versions and upgrade paths. Patches are cumulative; plan upgrades to stable versions beyond the affected range (26.1.0). Test patches in a non-production environment first to avoid service interruption. Oracle typically provides extended support timelines and guidance for migrations. Verify patch application by confirming version numbers post-deployment and re-running any internal access control verification tests.
Detection guidance
Monitor REST Data Services access logs for anomalous patterns: low-privilege accounts accessing or modifying data outside their normal scope, unusual volume of read/write operations, or requests targeting known sensitive tables or APIs. Network-level detection should flag repeated HTTPS connections from unfamiliar source IPs to REST Data Services ports. Deploy WAF or API gateway rules to detect unauthorized data modification attempts. Correlate authentication logs with data access events to identify privilege escalation or lateral movement. Proactive scanning of affected version deployments can confirm exposure before exploitation.
Why prioritize this
HIGH severity (CVSS 8.1) combined with ease of exploitation and wide affected version range demands urgent attention. The vulnerability requires only low privileges and network access—a low bar for attacker entry. Data confidentiality and integrity impacts directly threaten business operations and compliance. Lack of KEV listing does not imply safety; the simplicity of the attack makes mass exploitation probable once technical details emerge. Organizations should prioritize patching or compensating controls within weeks, not months.
Risk score, explained
The CVSS 3.1 score of 8.1 reflects high impact (complete confidentiality and integrity compromise of accessible data) combined with low barriers to exploitation (network-accessible, low privilege, no user interaction). The score stops short of critical (9.0+) because availability is not impacted and the attack scope remains limited to the affected service. However, in multi-tenant or sensitive data contexts, the real-world risk can feel higher due to regulatory or business consequences.
Frequently asked questions
Do we need valid credentials to exploit this vulnerability?
Yes. The vulnerability requires a low-privileged authenticated account—not unauthenticated access. However, 'low privileged' means standard user-level credentials, not admin accounts. Compromised service accounts, shared accounts, or insider threats all qualify as viable attack vectors.
Is this vulnerability being actively exploited in the wild?
As of the publication date, this CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning no public exploitation has been formally documented. However, given the ease of exploitation, security teams should assume active research and development of exploit code is underway and prepare defenses accordingly.
What is the difference between versions 26.0.0 and 26.1.0—are both vulnerable?
Yes, both versions 26.0.0 through 26.1.0 are confirmed vulnerable. Patches are expected to be released in versions beyond 26.1.0. Verify exact patch version numbers in the Oracle advisory before upgrading.
Can network segmentation reduce our risk while we prepare to patch?
Yes. Restricting network access to REST Data Services endpoints to only trusted internal subnets, disabling external HTTPS access, and using API gateway authentication policies can meaningfully reduce exposure. These are compensating controls, not replacements for patching, but they buy time and reduce the probability of opportunistic exploitation.
This analysis is based on publicly available Oracle vulnerability data and CVSS metrics as of the publication date. Patch availability, version numbers, and detailed remediation steps are subject to vendor announcements and should be verified against the official Oracle Security Alert. SEC.co makes no warranty as to the completeness or accuracy of this analysis. Organizations should conduct their own risk assessment and testing before deploying any patches or compensating controls. This document does not constitute legal, compliance, or security advice specific to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-35266HIGHOracle REST Data Services Authentication & Data Integrity Vulnerability
- CVE-2024-14036HIGHDräger Core Denial of Service via Malformed SDC Messages
- CVE-2025-22426HIGHAndroid ComputerEngine URI Escalation Privilege Vulnerability
- CVE-2026-10069HIGHShibby Tomato miniupnpd Resource Exhaustion Vulnerability
- CVE-2026-32995HIGHRocket.Chat DDP Authentication Bypass Exposes All Private Messages
- CVE-2026-37234HIGHFlexRIC E42 Resource Leak via Multiple xapp_id Binding
- CVE-2026-37235HIGHFlexRIC E42 Message Authentication Bypass – RIC Denial of Service
- CVE-2026-40715HIGHDell ThinOS 10 Privilege Escalation Vulnerability