MEDIUM 5.3

CVE-2026-46830: Oracle REST Data Services Unauthenticated Data Disclosure (Mongoapi)

Oracle REST Data Services contains an information disclosure vulnerability in its Mongoapi component that allows an unauthenticated attacker to read sensitive data over the network without authentication. An attacker with network access can exploit this flaw via HTTPS to gain unauthorized visibility into data normally protected by REST Data Services, though they cannot modify or delete information. The vulnerability affects versions 24.2.0 through 26.1.0 and requires no special conditions—it's straightforward to trigger.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-200
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46830 is an unauthenticated information disclosure flaw (CWE-200) in the Mongoapi component of Oracle REST Data Services. The vulnerability allows network-based attackers to bypass authentication controls and access a subset of REST Data Services data. The attack vector is HTTPS-based with low attack complexity and no user interaction required. The vulnerability does not enable privilege escalation, data modification, or service disruption—impact is strictly confidentiality. The affected version range spans 24.2.0 through 26.1.0.

Business impact

Information disclosure vulnerabilities in middleware like REST Data Services typically expose database metadata, API schemas, configuration details, or partial data sets that feed downstream applications. For organizations using REST Data Services as an integration layer, unauthorized data access could compromise sensitive business intelligence, customer information, or internal system state. The lack of authentication requirement means the risk is not limited to insider threats or compromised accounts—external threat actors can probe for and exploit the vulnerability. Depending on what data REST Data Services exposes in your environment, this could lead to regulatory compliance violations (GDPR, HIPAA, PCI-DSS) if sensitive personal or payment data is accessible.

Affected systems

Oracle REST Data Services versions 24.2.0, 24.3.x, 25.x.x, and 26.0.x through 26.1.0 are vulnerable. Organizations should verify their exact deployment version and determine whether REST Data Services is directly exposed to network traffic or sits behind application firewalls. The Mongoapi component is typically used for NoSQL data exposure; confirm whether your REST Data Services deployment uses this component and what data it serves.

Exploitability

This vulnerability is easily exploitable by any network-connected attacker. No authentication is required, attack complexity is low, and no user interaction is needed. An attacker simply needs network access to the REST Data Services HTTPS endpoint and can begin probing for data access. The barrier to exploitation is minimal—this is not a theoretical or difficult-to-trigger flaw. However, the vulnerability is not currently tracked in the CISA KEV catalog, suggesting active in-the-wild exploitation has not been widely documented at the time of publication, though this does not eliminate real-world risk.

Remediation

Apply the vendor patch to upgrade Oracle REST Data Services to a version later than 26.1.0, as specified in the Oracle security advisory. Verify the patch version number against the official Oracle advisory to ensure you are deploying the correct update. Until patching is feasible, implement network segmentation to restrict HTTPS access to REST Data Services endpoints to only authorized internal clients and systems. Deploy web application firewalls (WAF) to monitor and block suspicious data access patterns. Audit logs to determine whether the vulnerability has been exploited in your environment.

Patch guidance

Consult the official Oracle security advisory for CVE-2026-46830 to identify the specific patched version(s) for your current release. Oracle typically releases patches on a predictable quarterly schedule; verify the patch release date and prerequisites (database version, other component dependencies) before deploying. Test patches in a non-production environment first to ensure compatibility with dependent applications. Given the ease of exploitation, prioritize patching for Internet-facing or DMZ-deployed REST Data Services instances.

Detection guidance

Monitor REST Data Services access logs for unauthenticated HTTPS requests to the Mongoapi component. Look for GET or query requests from unexpected source IPs, particularly external IPs. Alert on any successful data returns to unauthenticated sessions. Network-based detection can identify probing activity by monitoring for HTTP 200 responses to REST Data Services endpoints from sources that should not have access. Consider ingesting REST Data Services security events into your SIEM to correlate with other security signals. Baseline your normal access patterns first to distinguish anomalies.

Why prioritize this

Although this vulnerability carries a MEDIUM CVSS score (5.3), the combination of unauthenticated network access, low attack complexity, and minimal exploitation barriers warrants prompt attention. The lack of KEV designation does not diminish urgency—it reflects current threat intelligence gaps, not the actual risk. Organizations with REST Data Services exposed to untrusted networks should treat this as high priority. Even for internal-only deployments, the data exposure risk and compliance implications justify early patching relative to other MEDIUM-severity flaws.

Risk score, explained

The CVSS 3.1 base score of 5.3 reflects a MEDIUM severity rating driven by the confidentiality impact (C:L) balanced against the absence of integrity, availability, or privilege escalation effects. The attack vector is Network (AV:N), attack complexity is Low (AC:L), and no authentication (PR:N) or user interaction (UI:N) is required—all factors that increase exploitability. The scope is Unchanged (S:U), meaning the attacker cannot access resources beyond the vulnerable component itself. The score accurately reflects an information disclosure risk; however, organizational context (the sensitivity of data exposed by REST Data Services) may warrant higher prioritization than the numeric score alone suggests.

Frequently asked questions

How can we quickly determine if our REST Data Services deployments are at risk?

Check your Oracle REST Data Services version against the affected range (24.2.0–26.1.0). If you are within this range, verify whether your deployment includes the Mongoapi component and whether it is accessible over the network. Cross-reference your deployment topology against your security controls: if REST Data Services is behind a firewall that restricts inbound HTTPS access to trusted IPs only, your exposure is reduced but not eliminated. Query your access logs for any unusual data retrieval patterns since the vulnerability was published (May 28, 2026).

Does this vulnerability require database credentials or prior access to exploit?

No. This is an unauthenticated vulnerability—an attacker does not need valid database credentials, application accounts, or any prior access. An attacker with network access to the REST Data Services HTTPS endpoint can attempt to read data directly. This is what makes it 'easily exploitable' per the CVSS definition.

What if we cannot patch immediately—what interim controls are available?

Implement network-layer controls such as firewall rules to restrict HTTPS access to REST Data Services to only known, trusted internal clients and systems. Deploy a WAF to inspect and block suspicious REST API queries. Disable or restrict the Mongoapi component if it is not actively used. Enable and monitor audit logging on REST Data Services to detect unauthorized access attempts. These measures reduce but do not eliminate risk; patching remains the primary remediation.

Is this vulnerability being actively exploited in the wild?

As of the vulnerability publication date (May 28, 2026), this flaw is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting widespread in-the-wild exploitation has not been documented yet. However, the ease of exploitation and the public disclosure mean it is prudent to assume exploitation attempts will occur or may already be occurring in targeted environments. Do not wait for KEV inclusion to prioritize remediation.

This analysis is provided for informational purposes and reflects the vulnerability details as published by Oracle and indexed in public vulnerability databases as of June 17, 2026. Patch version numbers, affected product versions, and CVSS scores are derived from official Oracle security advisories and should be verified against the authoritative vendor advisory before deployment decisions are made. The characterization of exploitability and risk is based on the CVSS vector and available threat intelligence; actual risk in your environment depends on your REST Data Services deployment topology, network exposure, and data sensitivity. This document does not constitute legal, compliance, or professional security advice. Organizations should consult their security team, vendor, and compliance stakeholders before implementing changes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).