MEDIUM 5.3

CVE-2026-46842: Oracle REST Data Services Unauthenticated Data Modification Vulnerability

Oracle REST Data Services versions 24.2.0 through 26.1.0 contain a vulnerability that allows an unauthenticated attacker to modify, add, or delete data accessible through the service over the network. The vulnerability requires no special conditions to exploit and can be triggered via standard HTTPS connections. While an attacker cannot read data or crash the service, they can alter stored information, which poses a direct integrity risk to applications relying on ORDS for data access.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-284
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46842 is an improper access control vulnerability (CWE-284) in Oracle REST Data Services affecting the core component across versions 24.2.0 to 26.1.0. The flaw permits unauthenticated network attackers to perform unauthorized data modification operations. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) indicates network-accessible attack surface, no authentication requirement, low attack complexity, and integrity-only impact with no confidentiality or availability compromise. The integrity impact is classified as low in the CVSS framework, yet the unauthorized ability to insert, update, or delete data represents a material control violation.

Business impact

For organizations running Oracle REST Data Services in production, this vulnerability creates a direct pathway for data tampering without authentication. Any application or process relying on ORDS for API-driven data operations faces potential data corruption, unauthorized record modifications, or deletion of critical information. The lack of authentication requirement dramatically expands the attack surface—anyone with network connectivity to the ORDS endpoint can attempt exploitation. This is particularly critical for environments where ORDS serves as the primary data access layer for business applications, finance systems, or operational databases. Incident response and data integrity verification costs can be significant.

Affected systems

Oracle REST Data Services (ORDS) versions 24.2.0, 24.3.x, 25.x, and 26.0–26.1.0 are vulnerable. Organizations must inventory ORDS deployments across development, test, and production environments. Version 26.2.0 and later are not listed as affected, though verification against Oracle's official advisory is essential. Check deployment documentation and management consoles to confirm which versions are currently in use. Container-based deployments, cloud-hosted ORDS instances, and on-premises installations are all at risk if running a vulnerable version.

Exploitability

This vulnerability rates as easily exploitable due to unauthenticated network access, no prerequisites, and straightforward HTTP/HTTPS attack vectors. An attacker with basic network connectivity to an ORDS endpoint can craft requests to perform unauthorized data operations. No special tools, authentication tokens, or complex attack chains are required. The low attack complexity and absence of user interaction mean exploitation can be automated at scale. However, exploitability depends on exposure—ORDS instances protected by network segmentation, firewalls, or reverse proxies with authentication gating are harder to reach. The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog, though the ease of exploitation makes it a likely future target for threat actors.

Remediation

Immediate action is required: upgrade affected ORDS instances to a patched version. Verify the specific patch version number and compatibility requirements from Oracle's official security advisory. Additionally, implement compensating controls: segment ORDS network access using firewalls or network policies, restrict ORDS endpoint exposure to trusted networks only, place a WAF or API gateway with authentication enforcement in front of ORDS, and enable detailed audit logging of all ORDS data modification operations. Monitor for suspicious data changes correlated with failed or unusual API requests.

Patch guidance

Contact Oracle directly or consult the official Oracle Security Alert for CVE-2026-46842 to confirm the patched version numbers and release date. Verify compatibility with your database version, application framework, and any custom ORDS extensions before deployment. Test patches in a non-production environment mirroring your production ORDS configuration. Plan downtime if rolling patches; cluster-based ORDS deployments may allow rolling updates. After patching, validate that data integrity has not been compromised during any unpatched exposure window.

Detection guidance

Monitor ORDS access logs for unauthenticated requests that result in data modification operations (INSERT, UPDATE, DELETE) or unexpected API endpoint calls from external or untrusted IP addresses. Alert on: (1) HTTP 200 or 201 responses to data-modifying requests from unauthenticated sessions; (2) POST/PUT/DELETE requests to REST endpoints without corresponding authorization headers or valid session tokens; (3) unusual data change patterns in your backend database coinciding with ORDS access anomalies. Enable database-level audit logging to track data mutations correlated with ORDS activity. Query your database audit trail for uncommitted or unexpected DML operations during the vulnerability window. Consider SIEM rules that correlate network-visible ORDS requests with database change logs.

Why prioritize this

Prioritize this vulnerability as HIGH for any organization exposing ORDS to untrusted networks, even with a CVSS 3.1 score of 5.3. The unauthenticated attack surface, ease of exploitation, and direct integrity impact warrant rapid patching. This is not a theoretical or low-impact flaw—unauthorized data modification can lead to regulatory violations, audit findings, and business logic failures. Organizations with internet-facing ORDS instances should treat this as critical; those with segmented access can schedule remediation as urgent but with slightly more scheduling flexibility.

Risk score, explained

The CVSS 3.1 base score of 5.3 reflects low integrity impact, no confidentiality loss, and no availability impact. However, this numeric rating underrepresents business and operational risk. The unauthenticated, network-accessible nature of the vulnerability and the relative ease of exploitation elevate the practical threat level. Organizations should layer their risk assessment atop CVSS by considering: network exposure of ORDS, sensitivity of data accessible via ORDS, regulatory requirements around data integrity, and whether ORDS serves critical business processes. A medium CVSS score with high business criticality justifies urgent remediation.

Frequently asked questions

Can an attacker read sensitive data with this vulnerability?

No. The vulnerability allows unauthorized modification, insertion, and deletion of data, but does not grant read or confidentiality compromise. The CVSS vector reflects 'C:N' (no confidentiality impact). However, an attacker could insert decoy records or delete audit trails, complicating detection and investigation.

Does this affect all Oracle products or just REST Data Services?

This vulnerability is specific to Oracle REST Data Services (ORDS). Other Oracle products such as Oracle Database or Oracle Application Server are not directly affected, unless they depend on a vulnerable ORDS instance for data operations. Verify your architecture to confirm ORDS usage.

What if our ORDS instance is behind a firewall or on a private network?

Network segmentation significantly reduces risk. If ORDS is accessible only from trusted internal networks or behind authentication-enforcing gateways, the attack surface is constrained. However, patching remains essential; an insider threat, compromised internal host, or network misconfiguration could still expose the vulnerability.

Is there an exploit publicly available or in active use?

This vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities catalog. However, given the low complexity of exploitation, threat actors may develop weaponized code. Treat this as a high-priority patch regardless of current public exploit availability.

This analysis is provided for informational purposes and based on publicly disclosed vulnerability data as of the publication date. SEC.co does not provide legal, compliance, or official patching advice. Organizations must verify patch availability and compatibility with Oracle's official security advisories and their IT infrastructure. CVSS scores and severity ratings are subject to vendor update and interpretation. Conduct your own risk assessment based on your specific environment, data sensitivity, and network exposure. No exploit code or weaponized attack procedures are provided or implied in this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).