CVE-2026-46841: Oracle REST Data Services Unauthenticated Data Disclosure Vulnerability
Oracle REST Data Services versions 24.2.0 through 26.1.0 contain a network-accessible vulnerability that allows unauthenticated attackers to read sensitive data. An attacker on the network can reach the service over HTTPS without credentials and gain unauthorized access to a subset of the data REST Data Services manages. This is not a critical vulnerability—it does not enable system takeover, data modification, or service disruption—but it does represent a meaningful confidentiality risk for organizations relying on REST Data Services for data access control.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-200
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Vulnerability in Oracle REST Data Services (component: General). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46841 is an information disclosure vulnerability in Oracle REST Data Services' General component. The vulnerability stems from improper access controls, allowing unauthenticated network-based attackers to bypass authentication mechanisms via HTTPS and read restricted data. The vulnerability affects a contiguous version range from 24.2.0 through 26.1.0, suggesting it was introduced or became exploitable at version 24.2.0 and persists through at least 26.1.0. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) confirms network accessibility, no special attack complexity, no privilege requirement, no user interaction, and localized scope with low confidentiality impact. The root cause is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating authentication or authorization bypass logic.
Business impact
Data exposure in REST Data Services can compromise sensitive operational data that applications and dashboards rely on. If your organization uses REST Data Services to expose database content to internal or third-party consumers, an unauthenticated attacker can now read a subset of that data without detection by normal authentication logs. Depending on what data REST Data Services exposes in your environment, this could include personally identifiable information, financial records, configuration details, or other sensitive assets. The lack of integrity or availability impact means your data is not being deleted or modified—only read—but unauthorized disclosure of confidential information can trigger compliance violations (GDPR, HIPAA, SOC 2), regulatory penalties, and reputational harm. Organizations with strict data classification policies will need to treat this as a priority disclosure event.
Affected systems
Any organization running Oracle REST Data Services in versions 24.2.0, 24.3.x, 25.x, or 26.x (up to and including 26.1.0) is affected. REST Data Services is commonly deployed in enterprise environments to enable programmatic, HTTP-based access to Oracle Database objects (tables, views, procedures). Both on-premises and cloud-based deployments using these versions are vulnerable if they are network-accessible. Verify your installed version by checking the REST Data Services administration console or deployment logs.
Exploitability
This vulnerability is easily exploitable in real-world scenarios. An attacker with network access to the HTTPS endpoint (likely accessible from the internet if not properly firewalled) requires no credentials, no special tools, and no user interaction. The attack is deterministic—no race conditions or timing dependencies. However, exploitation is limited to reading a subset of available data; the attacker cannot access all stored data, cannot modify data, and cannot crash the service. The subset limitation suggests REST Data Services may have partial or role-based protections in place, but these have been bypassed for certain data. The lack of KEV status indicates this vulnerability has not yet been added to CISA's Known Exploited Vulnerabilities catalog, but that does not mean active exploits do not exist—it reflects the state of public disclosure and evidence of active exploitation as of the advisory date.
Remediation
Oracle has released patched versions of REST Data Services that address this vulnerability. The remediation pathway depends on your current version. Organizations on 24.2.0–25.x should upgrade to the next available stable release (verify against Oracle's official security advisory for the exact recommended version). Organizations on 26.x should upgrade to 26.1.1 or later (or the next published patch). Before upgrading, test the patched version in a staging environment to ensure compatibility with dependent applications. Consult Oracle's release notes for any breaking changes or configuration adjustments. In parallel, implement network segmentation to restrict HTTPS access to REST Data Services endpoints to only authorized internal clients, and consider enabling additional authentication layers (API keys, OAuth, certificate-based authentication) if REST Data Services supports them.
Patch guidance
1. Identify your current REST Data Services version (visible in the admin UI or logs). 2. Verify the patch availability from Oracle's security advisory—patches are typically released as point versions or patch sets. 3. Schedule a maintenance window and deploy the patched version to your staging environment. 4. Run automated integration tests to confirm REST Data Services continues to serve expected data and that dependent applications can still authenticate and connect. 5. Once validated, deploy to production. Oracle typically recommends testing patches before production deployment to avoid interruption. 6. After patching, re-test access controls to confirm the vulnerability is closed (attempt unauthenticated HTTPS requests to confirm they are rejected). Verify against Oracle's official patch release notes for precise version numbers.
Detection guidance
Organizations should implement the following detection measures: (1) Monitor HTTPS access logs for REST Data Services endpoints, looking for connections from unexpected IP addresses or without valid authentication tokens/session cookies. (2) Enable audit logging within REST Data Services (if available) to track data access requests and flag those without authenticated sessions. (3) Use a Web Application Firewall (WAF) to inspect HTTPS traffic to REST Data Services; flag requests that attempt to bypass authentication headers. (4) Baseline normal data request patterns and alert on anomalies in query volume or unusual data endpoints being accessed. (5) Search your network for any REST Data Services deployments using vulnerability scanning tools (e.g., Qualys, Nessus) to ensure all instances are tracked and patched. (6) If you have network segmentation, monitor attempts to reach REST Data Services from untrusted network zones.
Why prioritize this
While the CVSS score of 5.3 (Medium) is not in the critical range, this vulnerability warrants prioritization for three reasons: (1) It is easily exploitable—no credentials or special attack craft required, just network access. (2) It enables unauthorized data disclosure, which has regulatory and reputational consequences even if the data volume is a subset. (3) REST Data Services is a data-access layer; compromise of this component exposes the data governance model. Organizations should prioritize patching REST Data Services instances that are internet-facing or serve sensitive data (PII, financial records, configuration). Less critical instances (development, non-sensitive data) can follow standard patching schedules.
Risk score, explained
CVE-2026-46841 scores 5.3 in CVSS 3.1, placing it at the upper end of the Medium severity band. The score reflects: (1) Network accessibility (AV:N) – the vulnerability is easily reachable over HTTPS. (2) Low attack complexity (AC:L) – no special conditions or exploits required. (3) No authentication required (PR:N) – unauthenticated attackers can trigger it. (4) Localized confidentiality impact (C:L) – only a subset of data is exposed, not the entire database. (5) No integrity or availability impact (I:N, A:N) – data is not modified or deleted, and the service remains operational. The score does not approach critical (9.0+) or high (7.0–8.9) because the impact is read-only and partial, not full compromise or service disruption. However, the ease of exploitation and data disclosure risk justify urgent patching for sensitive environments.
Frequently asked questions
Is my REST Data Services instance vulnerable if it is behind a firewall and only accessible internally?
Partially. If your network perimeter is properly segmented and no external attacker can reach the HTTPS port, the network attack vector is blocked. However, internal attackers (malicious employees, compromised internal systems) can still exploit it. Patch regardless, as defense-in-depth requires fixing both network access controls and the vulnerability itself.
Can an attacker use this vulnerability to modify or delete data?
No. The CVSS vector (I:N) indicates no integrity impact. Attackers can only read a subset of accessible data. They cannot insert, update, or delete records. However, unauthorized read access can still violate compliance policies and expose sensitive information.
Why does the advisory say 'subset of Oracle REST Data Services accessible data' rather than 'all data'?
This suggests REST Data Services has some role-based or attribute-based access controls in place that partially work, but the vulnerability bypasses them for certain data endpoints or columns. The attacker cannot read everything—only some data that should require authentication. The exact scope depends on your data model and how REST Data Services is configured.
Is there a workaround if I cannot patch immediately?
Implement network-level controls: restrict HTTPS access to REST Data Services to only known internal clients using firewall rules, WAF policies, or VPN requirements. Enable API authentication (if supported) such as API keys or OAuth tokens and reject unauthenticated requests at the reverse proxy level. These do not fix the vulnerability but reduce exposure while you plan patching.
This analysis is provided for informational purposes based on published vulnerability data as of the advisory date. It is not a substitute for official Oracle security advisories or vendor patches. Organizations should verify patch availability and compatibility with their specific REST Data Services deployment directly from Oracle's security advisory. This advisory does not constitute legal advice and does not guarantee protection or compliance. Network and application controls should be implemented alongside patches for defense-in-depth. Consult your security team and vendor support for production deployment decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46830MEDIUMOracle REST Data Services Unauthenticated Data Disclosure (Mongoapi)
- CVE-2026-10254MEDIUMUnauthenticated Information Disclosure in SourceCodester Pet Grooming Software
- CVE-2026-10854MEDIUMMISP Galaxy Visibility Control Bypass – Unauthorized Private Metadata Access
- CVE-2026-10864MEDIUMMISP Dashboard Widget Field Filtering Bypass (Medium)
- CVE-2026-2128MEDIUMBreeze WordPress Plugin Cache Information Disclosure (v2.5.2 and earlier)
- CVE-2026-28511MEDIUMeLabFTW Information Disclosure – Title Exposure via Cross-Scope Search
- CVE-2026-36602MEDIUMMercusys AC12G Kernel Memory Disclosure via UPnP
- CVE-2026-36615MEDIUMMercusys AC12G (EU) Unauthenticated Information Disclosure via /agileconfigreset Endpoint