CVE-2026-46829: Oracle REST Data Services Unauthenticated Denial-of-Service Vulnerability
Oracle REST Data Services versions 24.2.0 through 26.1.0 contain a flaw in the Mongoapi component that allows anyone on the network to crash the service without needing to log in. An attacker can send specially crafted requests over HTTPS to trigger a denial-of-service condition—either a complete hang or repeated crashes—that disrupts availability. No authentication, credentials, or special access is required; the attack works from across the network.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-400
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46829 is an unauthenticated network-accessible denial-of-service vulnerability in Oracle REST Data Services' Mongoapi component. The flaw enables an attacker to send malicious HTTPS requests that trigger uncontrolled resource consumption or improper error handling (CWE-400), resulting in service unavailability. The attack requires only network access and a valid HTTPS path to the service; no user interaction, elevated privileges, or authentication tokens are necessary. The vulnerability affects versions 24.2.0 through 26.1.0.
Business impact
Service availability is the primary business concern. Affected Oracle REST Data Services deployments can be rendered unavailable through repeated denial-of-service attacks, disrupting any applications or workflows that depend on REST data access. This is especially critical for organizations using ORDS to expose Oracle databases to integration partners or internal services. Recovery typically requires manual intervention or service restart, increasing operational burden and potential data access downtime.
Affected systems
Oracle REST Data Services (ORDS) versions 24.2.0, 24.3.0, 25.x.x, and 26.0.0–26.1.0 are confirmed vulnerable. Verify your deployed version via the ORDS administration console or startup logs. The vulnerability is specific to the Mongoapi component, so deployments may be affected only if that component is active. Patch availability and specific fixed versions should be confirmed against the official Oracle security advisory.
Exploitability
This vulnerability is trivial to exploit. An attacker needs only network access to the HTTPS port where ORDS is listening; no credentials, authentication headers, or social engineering are required. The attack is reliable and repeatable. The CVSS score of 7.5 reflects the ease of exploitation (no complexity, no privilege escalation needed) combined with severe availability impact. However, it is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the last update, which does not mean exploitation is unlikely—it reflects the recency of the vulnerability and current threat intelligence coverage.
Remediation
Upgrade Oracle REST Data Services to a patched version above 26.1.0. Consult the Oracle security advisory for the specific fixed version. As an interim mitigation, restrict HTTPS network access to ORDS to only trusted hosts via firewall rules or reverse proxy authentication, reducing the attack surface. If Mongoapi is not required for your deployment, consider disabling it in the ORDS configuration. These measures are temporary; patching remains the authoritative fix.
Patch guidance
Contact Oracle Support or review the Oracle REST Data Services security advisory to obtain the patched release. Upgrade testing should be performed in a non-production environment first, verifying both ORDS functionality and any dependent applications. Plan for a maintenance window, as the upgrade may require ORDS restart. Verify that the patched version is listed in the advisory and that all affected deployments (including any high-availability or clustered configurations) are updated.
Detection guidance
Monitor ORDS application logs for sudden crashes, hangs, or repeated restarts correlated with unusual HTTPS traffic patterns. HTTPS access logs may show requests from unusual sources to Mongoapi endpoints (typically paths containing '/mongo' or similar). Network-level detection of repeated connection attempts followed by disconnects, or unusually large payloads to ORDS, can indicate exploitation attempts. Consider deploying a Web Application Firewall (WAF) rule to rate-limit or block requests to Mongoapi endpoints from untrusted sources pending patching.
Why prioritize this
Despite a non-critical CVSS severity label of HIGH (7.5), this vulnerability warrants prompt remediation because denial-of-service attacks are easily triggered, require no privileges, and directly impact service continuity. If your ORDS instance is internet-facing or exposed to untrusted networks, the risk is elevated. Lack of KEV designation should not delay patching; it reflects recency, not exploitability. Organizations running ORDS as part of mission-critical data access infrastructure should prioritize this within 30 days; those with restricted network access may extend timelines to 60 days pending patch validation.
Risk score, explained
The CVSS 3.1 score of 7.5 reflects three key factors: (1) Attack Vector: Network—exploitable remotely with no privileged access, (2) Attack Complexity: Low—no special conditions or race conditions are required, (3) Availability Impact: High—successful exploitation causes complete or frequent service disruption. Confidentiality and Integrity are not impacted (the vulnerability does not expose data or allow unauthorized modification). The HIGH severity designation is justified given the ease of exploitation, though the absence of data breach risk keeps the score below CRITICAL thresholds.
Frequently asked questions
Is this vulnerability exploited in the wild?
As of the latest update, CVE-2026-46829 is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. However, KEV designation lags real-world exploitation. Given the simplicity of exploitation (no credentials required), assume active threat actors will test for this flaw. Treat it as imminent risk and prioritize patching accordingly.
Can I disable or work around the vulnerability without patching?
Yes, temporarily. Restricting network access to ORDS via firewall rules or a reverse proxy to only trusted hosts will reduce exposure. If Mongoapi is not essential to your deployment, consult Oracle documentation on disabling it. These measures buy time but are not substitutes for patching; they do not eliminate the underlying flaw.
Do I need to patch if my ORDS instance is behind a firewall and only accessed by internal applications?
You should still patch, but the timeline may be less urgent. Network segmentation reduces immediate risk, but insider threats or lateral movement could still trigger the vulnerability. Patch within 60 days as part of normal maintenance; prioritize systems exposed to less-trusted networks (development, partner integrations) first.
What should I do if ORDS crashes due to an exploit attempt?
Check ORDS logs for errors or crashes correlated with unusual requests. Restart the service and immediately implement network access restrictions (firewall rule or WAF rule) to the affected HTTPS port. Then schedule an emergency patch deployment. If crashes continue, escalate to Oracle Support and preserve logs for forensics.
This analysis is provided for informational and educational purposes only. It is based on the official CVE record and CVSS scoring published as of the analysis date. Actual patch version numbers, availability dates, and vendor statements must be verified against the official Oracle Security Advisory before remediation. SEC.co makes no warranty as to the completeness or accuracy of this analysis and assumes no liability for decisions or actions taken in reliance on this content. Always consult your vendor's official guidance and your organization's change management and security policies before patching or implementing mitigations in production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-35266HIGHOracle REST Data Services Authentication & Data Integrity Vulnerability
- CVE-2026-35277HIGHOracle REST Data Services Authorization Bypass
- CVE-2026-46834HIGHOracle Database Net Service DoS Vulnerability (CVSS 7.5)
- CVE-2026-46835HIGHOracle Database Server Net Service Denial of Service (CVSS 7.5)
- CVE-2026-46843MEDIUMOracle REST Data Services DoS Vulnerability—Patch Guidance
- CVE-2024-14036HIGHDräger Core Denial of Service via Malformed SDC Messages
- CVE-2026-10069HIGHShibby Tomato miniupnpd Resource Exhaustion Vulnerability
- CVE-2026-37234HIGHFlexRIC E42 Resource Leak via Multiple xapp_id Binding